MFA with Microsoft Authenticator when logging in to AAD joined W10 device

asked 2021-02-19T11:13:09.493+00:00
Robbert 46 Reputation points

Hello Community,

I have a W10 20H2 device joined to Azure Active Directory and i make use of Intune I enabled MFA on my account.
When i login on https://login.microsoftonline.com i am forced to use MFA (through SMS or Authenticator app). So far so good.

When i login on my W10 device i am not getting any form of MFA
Is it possible to get a SMS or use the Authenticator app when i login to my W10 device?
I only can choose Hello Face, Hello Fingerprint, PIN, Security Key, Password or an Image.

At this moment i use DUO security but i prefer using AAD if possible.

See the screenshot below.

The green box give some information about the Microsoft Authenticator app.
The red box is not telling anything about the Microsoft Authenticator app.
So it is not very clear to me if it is possible.

The article is not telling it is not possible, it also is not telling it is possible.

I hope the community can clarify this.

Thanx in advance.

70052-mfa.png

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
12,560 questions
No comments
{count} votes

2 answers

Sort by: Most helpful
  1. answered 2021-02-19T13:58:03.8+00:00
    VipulSparsh-MSFT 15,951 Reputation points

    @Robbert MS does not allow any Azure MFA at the time of Windows login. A normal MFA which is supported by MS is Windows Hello or Pin.
    However, if you must find a way with authenticator App during Windows Login, you can try some 3rd parties that integrate this functionality with their 3rd party tools.
    Using 3rd parties for this is solely up to you and MS does not support/recommend them.

    As a informational piece, you can look at : https://james-rankin.com/articles/adding-microsoft-authenticator-mfa-to-windows-logon-using-manageengine-ad-self-service-plus/ to understand how other people might be using it.
    [The link is a 3rd party link and is used for knowledge purpose only, MS is not responsible for any information shared in that.]


  2. answered 2021-02-19T12:24:39.91+00:00
    Vasil Michev 61,446 Reputation points Microsoft MVP

    On a Azure AD joined device, you are effectively logging via the so-called Primary Refresh Token (PRT), which is also considered a form of two-factor authentication, thus no additional prompts are presented. Read here for more details: https://jairocadena.com/2016/11/08/how-sso-works-in-windows-10-devices/