Is there a way to use azure MFA (using the Authenticator App) for Windows 10 Desktop logins? The goal is that users, who login on a Domain PC, need to authenticate via the Microsoft Authenticator App for every login on the PC. I know there is a similar question that is two years old. It says that it was not possible at that time. Otherwise there are articles that say it is posible using azure hybrid join. Our Domain environment consists of 50 Domain PCs. We have our AD Users synced to Azure but not the PCs yet. What is the best way to achieve the goal? Is that even possible? Thank you for your help!


Solution 1:

The solution would depend both on user account type and device type.

Microsoft accounts (personal)

Currently only personal Microsoft accounts (e.g. @outlook.com) are fully supported for passwordless login to Windows 10/11 using Authenticator app.

Azure AD accounts (work or school) on Azure AD joined devices

There is a feature which is called Web sign-in and it allows signing in to Windows using Azure AD account and Authenticator app. Unfortunately it is supported only on Azure AD joined devices, but not on hybrid PCs. Also, it is currently in preview with no clear ETA, so it might not be ready for production yet.

Azure AD account or AD account on hybrid AAD hybrid-joined device or domain device

You can still achieve passwordless login for domain accounts (hybrid or on-prem) using Windows Hello for Business (WHfB) via device PIN, biometrics, smart card or FIDO2 key. Authentication app is not supported for this scenario. Basically, WHfB replaces username and password sign-in to Windows with strong user authentication based on an asymmetric key pair. It gets a bit tricky down from here. E.g. WHfB is NOT the same as Windows Hello, even though it has exact same words in it (I know, right). The deployment might get complicated based on your current environment. More info can be found at official deployment guide