Unable to setup a conditional access policy where physical Device log ins required MFA

Gowri Sukumar 0 Reputation points
2024-12-13T08:47:31.2233333+00:00

One of customers wants to set up the following security policy for device logins (PC/ Laptop/ Tablet / Mobile)

Device login credentials is same as office 365 account credentials with multi factor authentication so that only after authenticating via authenicator app users can login to the device.

Microsoft Authenticator
Microsoft Authenticator
A Microsoft app for iOS and Android devices that enables authentication with two-factor verification, phone sign-in, and code generation.
7,728 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,878 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. BANDELA Siri Chandana 1,160 Reputation points Microsoft Vendor
    2024-12-13T13:05:15.7666667+00:00

    Hi @Gowri Sukumar
    Thank you for posting your query on Microsoft Q&A.

    I understand that you are trying to enforce a conditional access policy where users are login into devices after multi factor authentication via authenticator app.

    MFA cannot be explicitly enforced by Azure AD's Conditional Access policies for physical device logins, such as when a user logs into their Windows, macOS, or mobile device. Office 365, Microsoft Teams, and other cloud-based applications and services that can be used online are the main examples of conditional access. However, by utilizing a variety of methods and strategies, you can still accomplish your goal of requiring MFA for device logins.

    The following extra techniques and workarounds might help you accomplish the intended security policy for physical device logins:

    1. Utilize MFA Enforcement with Windows Hello for Business.  With Windows Hello for Business, users can connect their device to their Azure AD credentials by using their biometrics (fingerprint or face) or a PIN.

    When users first set up their device or access company services, MFA may be necessary. Users can utilize a PIN or biometric method for subsequent logins if Windows Hello has been configured to enforce MFA during setup (for example, through the Microsoft Authenticator app). In Azure AD, enable Windows Hello for Business. When users first authenticate, require MFA before allowing them to customize Windows Hello settings. Users can log in to their device using Windows Hello (PIN or biometric).

    Please Refer:

    Windows Hello for Business Overview: https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/

    Configure Windows Hello for Business: https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/configure

    What is Windows Hello for Business: https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/

    MFA can be configured to enforce secondary authentication methods for cloud-based resources, but it's important to understand how to use it with device logins, especially when combined with tools like Windows Hello for Business.

    Azure AD Multi-Factor Authentication (MFA) Overview: https://learn.microsoft.com/en-us/entra/identity/authentication/concept-mfa-howitworks

    Set up MFA for users: https://learn.microsoft.com/en-us/microsoft-365/admin/security-and-compliance/set-up-multi-factor-authentication?view=o365-worldwide

    Although Conditional Access doesn’t directly enforce MFA for device logins, you can require MFA for app access and cloud resources after logging into the device. These documents help you create and manage Conditional Access policies.

    Azure AD Conditional Access Overview: https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview

    Create a Conditional Access policy: https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-policies

    Hope this helps. Do let us know if you have any further queries.


    If this answers your query, do click `Accept Answer` and `Yes`.

    Thanks,

    B. Siri Chandana.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.