Any way to get MFA for privileged accounts at the .local domain level

Cliff Poe 26 Reputation points
2022-01-20T16:27:54.01+00:00

I really need to put something to bed here. We have a .local domain with email at Microsoft 365. As part of a cyber-security insurance audit, we are being asked if privileged accounts use MFA for logging into domain machines. Now, we aren't "required" to do this, but we are being asked, so I'm tasked with finding out HOW to do this.

My thinking was maybe, since our .local computers are managed by InTune in our M365 account, perhaps we could leverage Conditional Access and introduce MFA for privileged accounts when logging into computers. From everything I read, this is not doable, but I want to make sure so I'm asking on several forums if anyone has made this work.

So, the question is, can I somehow leverage the Azure MFA, conditional access rules to introduce MFA for privileged accounts logging into .local domain joined computers?

Thank you.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,295 questions
0 comments No comments
{count} votes

Accepted answer
  1. Ravi Kanth Koppala 3,231 Reputation points Microsoft Employee
    2022-01-20T18:02:04.41+00:00

    @Cliff Poe ,
    All Azure AD tenants can use security defaults to quickly enable Microsoft Authenticator for all users. Users and groups can be enabled for Azure AD Multi-Factor Authentication to prompt additional verification during the sign-in event. But, enabling Azure MFA for privileged accounts logging into .local domain-joined computers is not currently supported. I recommend you post your requirement on the Azure feedback site so that Microsoft can take it up as a feature request. Thanks.
    https://feedback.azure.com/d365community/forum/22920db1-ad25-ec11-b6e6-000d3a4f0789

    0 comments No comments

0 additional answers

Sort by: Most helpful