This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(163.2, 57.00000000000001%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJE%3C/text%3E%3C/svg%3E)
I am having a recurring issue where I setup laptops and join them to Entra and when I have a user sign in with through org credentials, windows hello gets prompted then looks for them to setup an authenticator. We are slow rolling the authenticators out and am enabling per user as we go.
I would like to have it where the user just signs in with their username and password and is in, no pin, no prompt to setup authenticator, nothing. Just a simple sign in with password.
I feel I have searched the web and found every nook and cranny where authenticator settings could be enabled to keep prompting this, but I've reached the end of the road, everything is off. We do use OATH and authenticators but that is enabled per user instead of for all users.
conditional access, self password reset, authentication methods, nothing is joined into intune, etc. But as of right now it's every single time the user signs in, and you can cancel out and it provides an error and the ability to skip for now.
Where do I go from here. We have a mixture of standard and premium licenses.
Thanks.
Hope you got a chance to review the action plan suggested below. Please do let me know if you have any queries in the comments section. If you don't have any further queries and the suggestion works as per your business need. Please "Accept the answer (Yes)" and "share your feedback ". This will help us and others in the community as well.
Thanks,
Akshay Kaushik
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Microsoft has been setting MFA (multi-factor authentication) requirement as a security default. If you didn't want this then sign in here. (with your Azure / 365 account)
https://portal.azure.com/#home
then navigate to Microsoft Entra ID\Properties\Manage security defaults then choose Disabled
--please don't forget to close up the thread here by marking answer if the reply is helpful--
Just checking if there's any progress or updates?
--please don't forget to close up the thread here by marking answer if the reply is helpful--
I have this off already. I have a lot of various MFA pieces off at the moment except for per user MFA. My issue is when I have a device joined on Entra, when a user goes to sign in with their credentials Windows Hello prompts for a pin then it states the organization needs more info to verify them and prompts them to setup MFA, Of course they can cancel and choose skip for now but this occurs on every sign in.
No, this was already off ontop of many other pieces that deal with MFA. My issue is entra joined devices prompting users every sign in with windows hello then suggesting the organization needs more info to verify them and prompts them to setup mfa. Of course they can cancel and skip for now but this is every sign in. I don't want that, I just want them to be able to sign in with credentials I will worry about MFA when ready.
Also check the settings found here.
--please don't forget to close up the thread here by marking answer if the reply is helpful--
This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Just checking if there's any progress or updates?
--please don't forget to close up the thread here by marking answer if the reply is helpful--
Sorry for the delay, all possible settings in the documentation you provided have been disabled or removed and still the problem persists. I am going to attempt some testing over the holidays.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(121.6, 6%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDB%3C/text%3E%3C/svg%3E)
I ran into the same issue, and found a solution at this site: https://www.sikich.com/insight/making-windows-hello-for-business-optional-on-microsoft-entra-joined-computers/ The quick answer is to make a .cmd file to add 3 registry entries and run it on the PCs.
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork" /v Enabled /t REG_DWORD /d 1 /freg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork" /v DisablePostLogonProvisioning /t REG_DWORD /d 1 /freg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics" /v Enabled /t REG_DWORD /d 1 /f
Running this eliminated the problem for me. Login with a password, and no prompt for MFA or Windows Hello.
