NewB Question: Azure AD and Logging In

Question

Hi,

We are evaluating Azure AD to determine if it can help us secure our local PCs and I have a few questions. We have created a new Domain in Azure AD and have created a few test users to access that Domain.

I have been able to join our Windows 10 PCs to our new Azure AD Domain. When I log into the Windows 10 PC with my Azure AD account, I have to login a second time to access the myapps.microsoft.com web page. I am hoping to configure it when a user logs into their local Windows 10 PC, they don't have to re-authenticate themselves into the Azure AD again. Is that correct?

I have MFA set up on my Azure AD account but when I log into Windows 10 with that account, it doesn't require me to use my MFA?

I'm sure I'll have more questions as we move this along.

Thanks,
Kevin

Answer 1

If your device is hybrid Azure AD joined then you can SSO to both on-premises and cloud resources as described here: https://learn.microsoft.com/en-us/azure/active-directory/devices/concept-azure-ad-join-hybrid

If you don't want to re-authenticate with new sessions you can configure sign-in frequency using policies. https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime

It is not available to do "Azure MFA" at the time of login. But the "Windows Hello for Business" is considered strong auth. If you want to do MFA at the time of login, Windows Hello for Business (bio metric/PIN etc) is the answer. https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock