Share via

How to enable MFA (via DUO) for AAD joined Windows devices

John Case 20 Reputation points
2023-03-22T14:15:55.5866667+00:00

We are attempting to enable MFA for Windows logins for devices that are AAD joined (not hybrid). Ultimately we would like to use Duo as our MFA provider, and I've followed their instructions for setup located here.

https://duo.com/docs/azure-ca

We have conditional access setup, and it works great when we join a device to AAD, but can't get it to come up when a user logs into a laptop. Is there a specific CA policy that can be used that includes Windows Sign In?

Windows 11
Windows 11
A Microsoft operating system designed for productivity, creativity, and ease of use.
9,573 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,637 questions
0 comments
Accepted answer
  1. Michael Durkan 12,201 Reputation points MVP
    2023-03-22T19:10:45.4533333+00:00

    Hi

    the DUO control you have installed above is more to do with conditional access to applications in the same way as native Azure MFA would work with Authenticator.

    MS does not allow any Azure MFA at the time of Windows login, so you would need a 3rd party tool. From a DUO perspective you could use the RDP/Console MFA offering to make this work:

    https://duo.com/docs/rdp

    You should already be licensed for this with your existing DUO subscription.

    Hope this helps,

    Thanks

    Michael Durkan

    • If the reply was helpful please upvote and/or accept as answer as this helps others in the community with similar questions. Thanks!
    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.