Set up Azure MFA for workstation login

Anonymous
2023-02-16T18:37:38.7666667+00:00

We currently require MFA to authenticate workstations to login to windows 10 each day, we also use azure MFA for O365 access. Would like to reduce our cost with duo and utilize our Azure Premium P2 subscription to require MFA for workstation logins. Is this possible? We are a hybrid environment (on prem AD) syncing with Azure AD and password writeback .

Documentation or other material to accomplish this goal would be appreciated.

Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
11,491 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,426 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Domingos Massissa 156 Reputation points Student Ambassador
    2023-02-16T19:21:44.3033333+00:00
    0 comments No comments

  2. Givary-MSFT 32,311 Reputation points Microsoft Employee
    2023-02-20T10:02:10.1366667+00:00

    @Anonymous Thank you for reaching out to us, As I understand you are looking to have a mfa solution for your client devices at the time of login ( at ctrl-alt-del screen), we don't have a direct mfa integration like duo at login screen, however you can refer to this article for detailed steps - https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension-rdg enables secure verification for users attempting to sign in to a Remote Desktop Gateway.

    Would recommend Windows Hello for Business option - replaces passwords with strong two-factor authentication on devices. This authentication consists of a type of user credential that is tied to a device and uses a biometric or PIN.

    Refer to this article for more information - Windows Hello for Business Overview

    We have different windows hello for business deployment models based on the existing environment - https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-identity-verification

    Windows Hello for Business cloud Kerberos trust is the recommended deployment model when compared to the key trust model. It is also the preferred deployment model if you do not need to support certificate authentication scenarios.

    Let me know if you have any further questions, feel free to post back.

    Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.