Azure AD Join forces a MFA Authentication

During an Windows 10 / MDM / Syntaro project we faced an issue regarding MFA (Multi Factor Authentication). The customer was a local school where not all students have a smartphone during the class. Because of this, we had the requirement to disable MFA in his environment for Azure AD Joins.

Our first idea was to simply disabled the requirement for MFA in the Azure AD Device Settings blade :). But we experienced that the problem was not solved with this change. The Azure AD Join still triggers an MFA.


This means, that this is not the single setting, which will impact this behavior. We did some researches and found the feature, which triggers the MFA: Windows Hello for Business. The customer has enabled the automatic enrollment to Intune and configured there the Windows Hello for Business settings. To configure a device for Windows Hello an MFA is required. So, we had to disable Windows Hello for business and the MFA Requirement on Azure AD Join. Starting from this moment an Azure AD Join no longer requires an MFA.

I hope this post will help you in your future projects with the great EMS tools.

Thomas Kurth

Thomas Kurth

I’m a consultant, trainer and architect for modern workplace and enterprise mobility projects with Microsoft Technologies in the past eight years. I love to push and design the modern workplace based on Windows 10, EM&S and O365 for my customers which is the only answer for the current security threats, agile world and the fast-changing business requirements of my customers. Important for me is to simplify and automate the operational processes, because there are the highest costs.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Hosting sponsored by: