![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(105.60000000000001, 77%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECS%3C/text%3E%3C/svg%3E)
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,473 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Hi @Chris Stephens ,
It sounds like the previous setup used per-user MFA, but you might have security defaults enabled on the tenant at the same time. If users are enrolled in per-user MFA, their state will show up as "Enabled" once enrolled in MFA and "Enforced" once they have signed in and registered for MFA.
If your tenant has Security Defaults enabled, users will be prompted for MFA regardless of their per-user status. Security defaults requires all users to register for MFA, but does not require MFA for all users at all times. Instead, users will be prompted for Multi-Factor Authentication based on factors such as location, device, and role.
If you want to use per-user MFA alone, you can disable security defaults under Azure Active Directory > Properties > Manage Security Defaults > Enable Security Defaults > No.
Otherwise if you have either Security Defaults or Conditional Access enabled, the per-user Disabled/Enabled/Enforced settings won't matter and the Security Default or Conditional Access settings will trump those settings.
There is no way to solely disable PIN for AD joined users, as this is a Windows Hello For Business requirement and it is the fallback mechanism when other providers are unavailable. But we do have the option to use multifactor unlock to use bio-metric as the first provider. PIN can also be skipped if you have ADFS, but the PIN would still be required for the initial setup. Also, if it's a Windows 10 desktop version 1607 or above that you are Azure AD joining you can actually disable Windows Hello for Business with a setting in Intune. Note though that for Windows 10 Mobile this setting will not have any effect since it's by design that Windows 10 Mobile devices will bypass this setting when Azure AD joining these devices.
Let me know if this helps!
Marilee
-
If the information provided was helpful to you, please remember to "mark as answer" so that others in the community with similar questions can more easily find a solution.