Hi @Gowri Sukumar
Thank you for posting your query on Microsoft Q&A.
I understand that you are trying to enforce a conditional access policy where users are login into devices after multi factor authentication via authenticator app.
MFA cannot be explicitly enforced by Azure AD's Conditional Access policies for physical device logins, such as when a user logs into their Windows, macOS, or mobile device. Office 365, Microsoft Teams, and other cloud-based applications and services that can be used online are the main examples of conditional access. However, by utilizing a variety of methods and strategies, you can still accomplish your goal of requiring MFA for device logins.
The following extra techniques and workarounds might help you accomplish the intended security policy for physical device logins:
- Utilize MFA Enforcement with Windows Hello for Business. With Windows Hello for Business, users can connect their device to their Azure AD credentials by using their biometrics (fingerprint or face) or a PIN.
When users first set up their device or access company services, MFA may be necessary. Users can utilize a PIN or biometric method for subsequent logins if Windows Hello has been configured to enforce MFA during setup (for example, through the Microsoft Authenticator app). In Azure AD, enable Windows Hello for Business. When users first authenticate, require MFA before allowing them to customize Windows Hello settings. Users can log in to their device using Windows Hello (PIN or biometric).
Please Refer:
Windows Hello for Business Overview: https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/
Configure Windows Hello for Business: https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/configure
What is Windows Hello for Business: https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/
MFA can be configured to enforce secondary authentication methods for cloud-based resources, but it's important to understand how to use it with device logins, especially when combined with tools like Windows Hello for Business.
Azure AD Multi-Factor Authentication (MFA) Overview: https://learn.microsoft.com/en-us/entra/identity/authentication/concept-mfa-howitworks
Set up MFA for users: https://learn.microsoft.com/en-us/microsoft-365/admin/security-and-compliance/set-up-multi-factor-authentication?view=o365-worldwide
Although Conditional Access doesn’t directly enforce MFA for device logins, you can require MFA for app access and cloud resources after logging into the device. These documents help you create and manage Conditional Access policies.
Azure AD Conditional Access Overview: https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview
Create a Conditional Access policy: https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-policies
Hope this helps. Do let us know if you have any further queries.
If this answers your query, do click `Accept Answer`
and `Yes`
.
Thanks,
B. Siri Chandana.