locked
Windows Login with MFA RRS feed

  • Question

  • Hello,

    I am trying to require MFA at Windows login. We are running Windows 10 Enterprise devices that are on version 1803. All of the devices are connected to AAD. I have tried to enable the MFA through the Azure portal, and it required MFA for web login of their account, but it did not require the MFA at Windows login. Is there anyway to require MFA at the Windows login screen? I saw that there is an option to download a MFA server and connect it to Azure, but I was not sure if that would help with the Windows login. I found this link that talked about Windows Authentication with the MFA server, but it appears that this is more for Windows applications.  

    Thanks in advance for your time and help on this issue.

    Monday, July 30, 2018 12:58 PM

Answers

All replies

  • Hi,

    MFA server will not provide Multi-Factor Authentication during Windows Login, only for Applications.

    It might not be the MFA solution you are looking for, but the closest solution currently available for MFA on Windows Login is Windows Hello for Business:

    "In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and uses a biometric or PIN."

    "Is Windows Hello for Business multifactor authentication?
    Windows Hello for Business is two-factor authentication based the observed authentication factors of: something you have, something you know, and something part of you. Windows Hello for Business incorporates two of these factors: something you have (the user's private key protected by the device's security module) and something you know (your PIN). With the proper hardware, you can enhance the user experience by introducing biometrics. Using biometrics, you can replace the "something you know" authentication factor with the "something that is part of you" factor, with the assurances that users can fall back to the "something you know factor"."


    • Proposed as answer by Femisulu-MSFT Tuesday, July 31, 2018 11:49 PM
    Monday, July 30, 2018 1:00 PM
  • Hi,

    I noticed that all of the devices are connected to AAD, for Azure AD issue, I suggest discussing it in our Azure forum, they are the best resource to troubleshoot this issue.

    https://social.technet.microsoft.com/Forums/azure/en-US/home?category=windowsazureplatform

    Thank you for understanding.

    Best Regards,

    Tao


    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, August 1, 2018 2:07 AM
  • Tony, thanks for your suggestion. I will ask this question in the Azure forums to see if they have any insight.
    Wednesday, August 1, 2018 2:19 PM
  • John, I do not think this is really want we are wanting. Even with using a pin or biometrics, people could still sign into the device with the Office 365 account password. That would mean that if the account passwords were compromised and someone tried to log into the device they could just bypass the pin or biometrics and get into the computer. We are wanting to prevent this. We would like our users to be able to type in their password and then have to type in a verification code that was sent to their phone or approve it with Microsoft's Authenticator app. 
    Wednesday, August 1, 2018 2:25 PM
  • Hi,

    Microsoft does not offer this functionality yet. A feature request can be found on te Azure Feedback Forums:

    https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/19319638-add-mfa-support-to-secure-the-windows-10-logon

    Best regards,

    John

    • Proposed as answer by Femisulu-MSFT Monday, August 27, 2018 6:08 PM
    • Marked as answer by CIS-03 Thursday, August 30, 2018 1:45 PM
    Wednesday, August 1, 2018 3:05 PM
  • John, 

    Thanks for your information. I will add my vote for this feature. 

    Wednesday, August 1, 2018 3:09 PM
  • You're welcome. If your question has been answered, please don't forget to mark the thread as answered. It helps improve the chance of others with similar questions obtaining answers.
    Friday, August 17, 2018 12:17 PM