Share via

Additional MFA for azure ad joined devices, intune managed device, pin login

A.Frick - ipstyle 40 Reputation points
2023-06-21T04:12:20.3066667+00:00

Hi Admins,

How do you deal with the following situation?

Infrastructure Situation:

  • Azure AD Joined Notebooks
  • Setup with WHfB, Pin Set
  • Fully intune managed W11 notebooks
  • Conditional Access Rules in Place
  • AzureJoined Device with Pin Login
    = Trusted Device Login, no additional MFA required
  • Named Location with from Trusted Office IP
    = Trusted Location Login, no additional MFA required

We have a client that ask for the following options:

  • Q1) Customer asked for MFA every 7 days enforced a system login
  • Q2) Customer asked to have MFA enforced for EVERY Login because PIN is unsafe

My statement:

  • PIN is more secure than password because its related to a managed end device
  • There's no additional MFA required
  • MS Best Practise setup (still looking for best practise manual/info)

What are your thoughts regarding these questions/requirements?

Any way to enforce MFA every 7 days or at notebook login?

thanks

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,803 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Carlos Solís Salazar 17,891 Reputation points
    2023-06-22T12:51:59.8033333+00:00

    Thank you for asking this question on the Microsoft Q&A Platform.

    I understand that you

    Sign in frequency and MFA

    Hope this helps!

    Accept Answer and Upvote, if any of the above helped, this thread can help others in the community looking for remediation for similar issues.

    NOTE: To answer you as quickly as possible, please mention me in your reply.

    0 comments
  2. Givary-MSFT 32,591 Reputation points Microsoft Employee
    2023-06-26T16:39:05.57+00:00

    @A.Frick - ipstyle Thank you for reaching out to us, yes you are correct if WHFB is configured, there is no need to have additional MFA, as PRT has MFA claim.

    Windows Hello for Business replaces passwords and uses cryptographic keys to provide strong two-factor authentication. Windows Hello for Business is specific to a user on a device, and itself requires MFA to provision. When a user logs in with Windows Hello for Business, the user’s PRT gets an MFA claim. - https://learn.microsoft.com/en-us/azure/active-directory/devices/concept-primary-refresh-token#:~:text=Sign%20in%20with%20Windows%20Hello%20for%20Business%3A

    User's image

    https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-faq#:~:text=Is%20Windows%20Hello%20for%20Business%20considered%20multifactor%20authentication%3F

    Let me know if you have any further questions, feel free to post back.

    Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.