This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 50%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESH%3C/text%3E%3C/svg%3E)
Are you able to use conditional access to require MFA when logging into a domain user account on a domain joined computer?
There is a supported path for this but it requires ADFS:
For etc. Entra ID devices for the "Windows Sign in," I presume it's simply the user signing in on the Windows device itself right?
Certain applications, such as "Windows Sign In," do not have Conditional Access support. This particular application is utilized when a user logs onto an Entra ID Joined device, whether it's online or offline. Because the default Windows logon screen isn't built on a web-based user interface, conducting Conditional Access checks is not feasible.
I think it is that you refer to right? :)
Edit: Andy David - MVP answer for the ADFS is the only way as it is for now :)
We just write at the same time..
Yes, I am looking for away to require MFA when a user signs into a Windows device. So it sounds like to accomplish what I looking to do we would need to un-join the devices from the domain and then enroll them Entra ID?
Yes, I am looking for away to require MFA when a user signs into a Windows device. So it sounds like to accomplish what I looking to do we would need to un-join the devices from the domain and then enroll them Entra ID?
Or can Azure AD Connect be used to accomplish what I am looking to do?