Hi Adin Mohhamed,
How is your issue going? Has it been resolved yet? If it has, please consider accepting the answer as it helps others sharing the same problem benefit too. Thank you :)
VP
Forget 2FA Authentication
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 98%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAM%3C/text%3E%3C/svg%3E)
Adin Mohhamed
0
Reputation points
We’re currently using Entra ID accounts to sign in to our laptops. Management has asked us to enforce 2FA for Windows login, specifically when devices are used outside the office network. Ideally, we’d like to set up a policy that triggers multi-factor authentication only when a laptop is offsite. Is there a way to achieve this natively, without relying on any third-party tools or hardware? We’re on Microsoft 365 Business Premium. Thanks in advance for any guidance.
Windows for business | Windows Client for IT Pros | Directory services | User logon and profiles
3 answers
Sort by: Most helpful
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(275.2, 16%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EV%3C/text%3E%3C/svg%3E)
VPHAN 29,360 Reputation points Independent Advisor2026-04-10T14:25:25.7866667+00:00 -
VPHAN 29,360 Reputation points Independent Advisor
2026-04-07T12:00:39.09+00:00 Hi Adin Mohhamed,
Your management's requirement is entirely understandable for a hybrid environment, but achieving this specific location-based multi-factor authentication natively at the Windows login screen is not possible with Microsoft 365 Business Premium. Entra ID Conditional Access policies are designed to gate access to cloud applications and services rather than hooking directly into the local Windows lock screen. When a user powers on their laptop, the Windows Local Security Authority handles the initial desktop sign-in using locally cached credentials or a Primary Refresh Token. This architecture ensures users can log in even without internet access, meaning a cloud-enforced network check at the login screen would risk completely locking users out if they are offline or stuck behind a captive portal.
If your team is open to an alternative, the most secure native solution included in your licensing is Windows Hello for Business. Instead of toggling multi-factor authentication based on network location, it transforms every desktop login into a robust two-factor event by pairing the hardware-backed Trusted Platform Module with a user PIN or biometric marker. You can push this configuration seamlessly via Intune Endpoint Manager or configure it at the system level through the registry at HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork by setting the Enabled DWORD value to 1. This satisfies the core requirement of protecting the device everywhere without relying on an active internet connection. Should strict location-based enforcement for the desktop login remain an absolute necessity, you will need to implement a third-party Windows credential provider designed to inject authentication prompts directly into the local logon process based on active network states.
Hope this answer brought you some useful information. If it did, please hit “accept answer”. Should you have any questions, feel free to leave a comment.
VP
-
Q&A Assist2026-04-07T11:25:16.5533333+00:00 AI generated content. This question contains an answer created with AI from Q&A Assist. Learn moreNative Microsoft solutions in the provided context support enforcing multifactor authentication for sign-in to Microsoft 365 and Entra ID–protected resources, but they do not describe a way to require MFA specifically at Windows client (desktop) logon only when a device is offsite.
The documented strong-authentication guidance focuses on:
- Enforcing MFA for user sign-ins to cloud resources via Microsoft Entra ID and Conditional Access, using built-in or custom authentication strengths such as “Multifactor authentication strength,” “Passwordless MFA strength,” or “Phishing-resistant MFA strength”. These apply to Entra sign-ins, not to conditional Windows desktop logon based on network location.
- Using Windows Hello for Business as a strong, two-factor replacement for passwords on Windows 10/11 devices. Windows Hello for Business ties a key to the device plus a PIN or biometric, but the context does not describe a policy that turns this on only when a device is offsite.
The context also shows how MFA can be enforced broadly for all users and strengthened with passwordless or phishing-resistant methods, but it does not provide a native mechanism to scope MFA to “Windows logon only when off the corporate network.”
Based on the available documentation, there is no described native, Entra/Windows policy that enforces 2FA only for Windows sign-in when devices are offsite, without third‑party tools or additional hardware.
References: