Azure AD Join forces a MFA Authentication

During an Windows 10 / MDM / Syntaro project we faced an issue regarding MFA (Multi Factor Authentication). The customer was a local school where not all students have a smartphone during the class. Because of this, we had the requirement to disable MFA in his environment for Azure AD Joins.

Our first idea was to simply disabled the requirement for MFA in the Azure AD Device Settings blade :). But we experienced that the problem was not solved with this change. The Azure AD Join still triggers an MFA.

This means, that this is not the single setting, which will impact this behavior. We did some researches and found the feature, which triggers the MFA: Windows Hello for Business. The customer has enabled the automatic enrollment to Intune and configured there the Windows Hello for Business settings. To configure a device for Windows Hello an MFA is required. So, we had to disable Windows Hello for business and the MFA Requirement on Azure AD Join. Starting from this moment an Azure AD Join no longer requires an MFA.

I hope this post will help you in your future projects with the great EMS tools.

• About
• Latest Posts

Follow me

Thomas Kurth

Principal Security Consultant | MVP at baseVISION AG

I’m a consultant, trainer and architect for modern workplace and enterprise mobility projects with Microsoft Technologies in the past ten years. I love to push and design the modern workplace based on Microsoft 365 for my customers which is the only answer for the current security threats, agile world and the fast-changing business requirements of my customers. Important for me is to simplify and automate the operational processes, because there are the highest costs.

Follow me

Latest posts by Thomas Kurth (see all)

• Microsoft Sentinel ASIM Parser demystified - March 31, 2024
• Enhancing Network Security Insights with IDS/IPS of Ubiquiti Dream Machine Pro and Microsoft Sentinel - March 10, 2024
• Ubiquiti Dream Machine Pro Logs to Microsoft Sentinel - February 6, 2024