MFA with Microsoft Authenticator when logging in to AAD joined W10 device

Question

question

Robbert1979 asked Feb 19, '21 VNJoe commented Apr 7, '22

MFA with Microsoft Authenticator when logging in to AAD joined W10 device

Hello Community,

I have a W10 20H2 device joined to Azure Active Directory and i make use of Intune I enabled MFA on my account.
When i login on https://login.microsoftonline.com i am forced to use MFA (through SMS or Authenticator app). So far so good.

When i login on my W10 device i am not getting any form of MFA
Is it possible to get a SMS or use the Authenticator app when i login to my W10 device?
I only can choose Hello Face, Hello Fingerprint, PIN, Security Key, Password or an Image.

At this moment i use DUO security but i prefer using AAD if possible.

See the screenshot below.

The green box give some information about the Microsoft Authenticator app.
The red box is not telling anything about the Microsoft Authenticator app.
So it is not very clear to me if it is possible.

The article is not telling it is not possible, it also is not telling it is possible.

I hope the community can clarify this.

Thanx in advance.

azure-active-directory azure-ad-multi-factor-authentication

mfa.png (76.9 KiB)

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 1 · 2021-02-19T12:24:39.91Z

michev answered Feb 19, '21 Robbert1979 commented Feb 19, '21

On a Azure AD joined device, you are effectively logging via the so-called Primary Refresh Token (PRT), which is also considered a form of two-factor authentication, thus no additional prompts are presented. Read here for more details: https://jairocadena.com/2016/11/08/how-sso-works-in-windows-10-devices/

· 1

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Robbert1979 · Feb 19, 2021 at 02:39 PM

Hi Michev,

Thanx for the reply
If someone has access to my device and knows my pincode, he has access to all my documents.
In my opinion this is a serious security issue

I will keep using Duo Security

Regards,

Robbert

1 ·

Answer 2 · 2021-02-19T13:58:03.8Z

vipulsparsh-MSFT answered Feb 19, '21 VNJoe commented Apr 7, '22

@Robbert1979 MS does not allow any Azure MFA at the time of Windows login. A normal MFA which is supported by MS is Windows Hello or Pin.
However, if you must find a way with authenticator App during Windows Login, you can try some 3rd parties that integrate this functionality with their 3rd party tools.
Using 3rd parties for this is solely up to you and MS does not support/recommend them.

As a informational piece, you can look at : https://james-rankin.com/articles/adding-microsoft-authenticator-mfa-to-windows-logon-using-manageengine-ad-self-service-plus/ to understand how other people might be using it.
[The link is a 3rd party link and is used for knowledge purpose only, MS is not responsible for any information shared in that.]

· 2

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Robbert1979 · Feb 19, 2021 at 02:41 PM

Hi vipulsparsh-MSFT,

Thanx for the reply.
I will keep using DUO security for this purpose.
It works perfectly but i wanted to know for sure that i wasn't overlooking something.

Regards,

Robbert

0 ·

VNJoe Robbert1979 · Apr 07 at 03:53 PM

I'd like to understand how sweeping steps have been taken to secure O365 yet no progress on Secure By Default with Windows logins to AzureAD without Authenticator. How does this process make any sense in this context, and what is Microsoft doing to address bringing Authenticator App to Windows logins if you have P2 or Intune?

1 ·

question