![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(230.39999999999998, 52%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ET%3C/text%3E%3C/svg%3E)
25,126 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(147.20000000000002, 0%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMS%3C/text%3E%3C/svg%3E)
Hi there and and thank for contacting the Microsoft Community.
Please review my responses to your questions below.
1, If the client want to use either Windows Hello for Business or Microsoft Authenticator instead, what steps should be taken.
You can have both WHFB and the authenticator in place so if a user works on device that does not support WHFB the authenticator can be used instead.
Setting up the passwordless with the authenticator can do achieved by following this doc
Passwordless sign-in with Microsoft Authenticator - Microsoft Entra | Microsoft Learn
Windows Hello For Business has 3 deployment and trust models depending on your environment and preference. You should review the follow document to find the deployment model that suits.
Windows Hello for Business Deployment Overview - Windows Security | Microsoft Learn
Does the client need to provide password to all the users, and then this users can setup Windows Hello for Business or Microsoft Authenticator password less sign in?
__Users will still require their Azure AD password In order to authenticate to the tenant initially. If the device they are using supports provisioning WHFB (depending on your deployment) then they will be prompted to set up their pin and WHFB biometrics.
If the device does not support WHFB then the user will sign in to their machine using their AAD username and password.__
2, Should we cut off the connection to Azure AD from OneLogin first? What should the procedure be?
Please review the following doc on migrating to cloud authentication from federation.
Perhaps a staged rollout would be the safter option with a test group.
3, The client is concerned about Windows Hello for Business password less since users can login with PIN, instead of biometrics authentication. Some users tend to keep a note on the laptop, indicating their PIN or Password. Any solution for this (we told them not to do this, but some of them won't listen to us)?
If passwords and pins are being written down this obviously a security risk and users should be advised not to do so. An Extra level of security would be using MFA so even if a password is compromised the attacker would also need the users end authentication i.e Microsoft Authenticator.
However if you wanted to move away from passwords and pins altogether perhaps fido keys are something you could consider.
4, There are mobiles phones provided by the company, which are not registered in the Intune. We saw the process in the document and decide to let users to register as personal devices (the users do not want to reset all the information in their mobile). But if we allow users to register, all the users who even have no company-provided device can register to Intune right? In this case, how can we make sure to allow only company provided devices to access to the resources?
In intune you can manage how to allow personal devices access to your resources
Please review the following doc.
Do let me know if you have any further questions.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.