@Cliff Poe ,
All Azure AD tenants can use security defaults to quickly enable Microsoft Authenticator for all users. Users and groups can be enabled for Azure AD Multi-Factor Authentication to prompt additional verification during the sign-in event. But, enabling Azure MFA for privileged accounts logging into .local domain-joined computers is not currently supported. I recommend you post your requirement on the Azure feedback site so that Microsoft can take it up as a feature request. Thanks.
https://feedback.azure.com/d365community/forum/22920db1-ad25-ec11-b6e6-000d3a4f0789
Any way to get MFA for privileged accounts at the .local domain level
I really need to put something to bed here. We have a .local domain with email at Microsoft 365. As part of a cyber-security insurance audit, we are being asked if privileged accounts use MFA for logging into domain machines. Now, we aren't "required" to do this, but we are being asked, so I'm tasked with finding out HOW to do this.
My thinking was maybe, since our .local computers are managed by InTune in our M365 account, perhaps we could leverage Conditional Access and introduce MFA for privileged accounts when logging into computers. From everything I read, this is not doable, but I want to make sure so I'm asking on several forums if anyone has made this work.
So, the question is, can I somehow leverage the Azure MFA, conditional access rules to introduce MFA for privileged accounts logging into .local domain joined computers?
Thank you.
-
Ravi Kanth Koppala 3,231 Reputation points Microsoft Employee
2022-01-20T18:02:04.41+00:00