Hello @Vlad Schwartz ,
Thank you for contacting Microsoft QnA platform. There can be multiple reasons for users to be prompted for MFA, however considering the resource you mentioned, I assume the “Require Multi-Factor Auth to join devices” setting could be the reason why some users are being prompted to set up MFA when then join the device to Azure AD/Entra ID. This setting can be found on the Azure AD Admin center under Devices > Device settings.
If this setting is enabled, it requires users to authenticate with a second device and two forms of credentials when they attempt to join a device to Azure AD. This could explain why users are seeing the MFA setup prompt after logging into Windows. You can check this setting by following these steps:
- Navigate to the Azure AD Admin center.
- Go to Devices > Device settings.
- Check the status of “Require Multi-Factor Auth to join devices”. If it’s set to “Yes”, this means MFA is required to join devices.
If you want to disable this, you can set “Require Multi-Factor Auth to join devices” to “No” and then click "Save". For more details you can review following documentation link: https://learn.microsoft.com/en-us/MEM/intune/enrollment/multi-factor-authentication
I hope this answer helps to resolve your issue. Please "Accept the answer" if the information helped you. This will help us and others in the community as well.