question

PoratArzouan-2702 avatar image
0 Votes"
PoratArzouan-2702 asked Frosticles-0731 answered

Multi factor authentication to Windows login via Conditonal access/intune

Hey,
One of my customers had few questions so I wanted to consult with more experienced guys than me.

  1. Via Intune\Azure AD premium plan 1/2, can I achieve MFA of Microsoft authenticator or sms from Microsoft of windows login (each time user login, not only on enrollment),

I introduced my client the Windows hello and he said its not sufficient enough for him,
he wants multi factor through other device as Microsoft authenticator knows.

He also want the MFA to work only when they are outside the organizations ip pool is it possible? (i know its possible through conditonal access but i didnt find windows login there, only intune enrolment).

  1. Through the Intune product can i see who tried to login to my office 365 users and from which ip? (if not do you know which tool do it such as office 365 defender atp).

azure-active-directoryazure-ad-conditional-access
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@PoratArzouan-2702 Thanks for posting in our Q&A.
For seeing who tried to login to my office 365 users, we can check sign-in logs in Azure AD. For this case, it is more related to Azure AD, so I will remove the intune-device-configurations tag and add the Azure AD tag. Thanks.

0 Votes 0 ·

Is there other portal that give more analytics and more info about the current logged sign ins and give me the ability to force log off the users? such as the casb of microsoft?

0 Votes 0 ·

@PoratArzouan-2702
I wanted to follow up and know if the below responses helped in answering your query. If it did, please do not forget to accept the appropriate response as Answer.

0 Votes 0 ·
vipulsparsh-MSFT avatar image
0 Votes"
vipulsparsh-MSFT answered vipulsparsh-MSFT commented

@PoratArzouan-2702 Currently this is not possible. You cannot have multifactor via Authenticator app while Windows login. Microsoft does not provide any options like this. There are few third parties which allow doing this using some custom tool. You can read more on this thread where I answered a similar scenario.

All MFA are targeted to Applications/resources and none of them target at Windows login via conditional access.

Windows Hello for business with Biometric capability can be used in this place and aligns with Microsoft suggestion provided your hardware supports this.


If the suggested response helped you resolve your issue, please do not forget to accept the response as Answer and "Up-Vote" for the answer that helped you for benefit of the community.



· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

What would you suggest to the customer that want this feature (of course in the capabilities of Intune/AzureAD)

About the other question with seeing analytics of users sign ins to office365,

Is there other portal that give more analytics and more info about the current logged sign ins and give me the ability to force log off the users? such as the casb of microsoft?

0 Votes 0 ·

@PoratArzouan-0184 You can try something as Multi-Factor Unlock with Windows hello for business which works with trusted signals. This will help if you have following concerns :
1)Have expressed that PINs alone do not meet their security needs.
2)Want to prevent Information Workers from sharing credentials.
3)Want their organizations to comply with regulatory two-factor authentication policy.
4)Want to retain the familiar Windows sign-in user experience and not settle for a custom solution.

Read more in detail here about how to implement it.


1 Vote 1 ·
PaD-7009 avatar image
0 Votes"
PaD-7009 answered PoratArzouan-0184 commented

One of my client does this with a 3rd party tool called "Manage Central".

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you very much,

But I want the customer to work with Microsoft solutions.

0 Votes 0 ·
LeonLIU-0010 avatar image
0 Votes"
LeonLIU-0010 answered

I have the same issue in my org, it seems that Microsoft only provide Windows web sign in for Azure AD joined devices, but we are in the hybird.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ThiloLangbein-3604 avatar image
3 Votes"
ThiloLangbein-3604 answered

Are there any news around MS built-in MFA for windows 10/11 aad computer sign in?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Frosticles-0731 avatar image
1 Vote"
Frosticles-0731 answered

Come on Microsoft -- get your act together -- this really should be an option built in to the O/S -- should not require third-party tools.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.