How to enforce MFA for users logging into an Entre ID joined machine?

Richard Francis 0 Reputation points
2025-01-09T16:28:53.8166667+00:00

Our environment has users log into a domain on Entre ID. The end goal is to use a Conditional Access Policy to have users MFA into their machines every time they log in.

The Conditional Access Policy requires them to use MFA to log into all Cloud Services.

I have a test user that I have been working with.

When the test user logs in to Office.com he was required to setup MFA with Windows Authenticator.

I asked him to log out of his machine and back in.

He was not required to use MFA.

I asked him to log into a machine that he never logged into.

The first log in he was required to authenticate using MFA but when he logged out and tried to log back in the user was not required to use MFA.

I changed the "Session" setting to "Sign-in Frequency - Every Time".

Asked the user to test again and he was not asked to us MFA to authenticate.

Is there a setting or configuration I am missing?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,970 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Thameur-BOURBITA 35,336 Reputation points
    2025-01-09T17:47:38.0666667+00:00

    Hi @Richard Francis

    The two-factor authentication is possible with Windows Hello for business. For more information please refer to the following links:

    https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/faq#how-does-windows-hello-for-business-work-with-microsoft-entra-registered-devices

    Implementing strong user authentication with Windows Hello for Business


    Please don't forget to accept helpful answer


    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.