I've got a client looking to set up multi-factor authentication (MFA) for their local Active Directory users on all workstations. They don't have any IT staff, so I'm handling this myself. While most users primarily use their own workstations, some do log in with their domain accounts on different machines in the office.
The challenge I'm facing is that if we set up MFA tied to a user's cellphone or biometric input on their machine, it makes it difficult for me to troubleshoot issues. Sometimes I need to log in under their domain user account instead of using the admin account. If the MFA requires their presence, I get locked out when they're not around. I'm hoping to find a way to allow multiple MFA options, such as using Microsoft Authenticator or receiving an SMS for login, while also enabling the user to have a backup PIN.
Is there a way to implement multiple MFA options with Windows Hello for Business? I'm looking for functionality similar to what I see with many online services, like having multiple MFA choices for Microsoft 365. I also wonder if solutions like DUO offer the capability I'm seeking. Any insights would be greatly appreciated.
5 Answers
Just to clarify, it's not a good idea to log in using another user's credentials. If you need access to their account, they should be present to ensure security and proper use of MFA.
If you're thinking about bypassing user interaction for MFA, keep in mind that it defeats the purpose of the security model. You may want to adjust your remote support strategy so the user is present and can give consent for access when you need to troubleshoot.
If you need to log in as a user without MFA, you can issue a Temporary Access Pass from the Entra Admin site for that user. That TAP will allow you to log on without any MFA prompts. However, it only works for Microsoft services, not local domain accounts.
Keep in mind that Windows Hello for Business is considered strong authentication, but it might not meet the strict definition of multi-factor authentication. You won’t see the usual prompts for a code at login, which can complicate things if you're used to that with other systems.
Good point! Plus, TAP will likely only assist if you're working with Entra joined devices, which doesn't apply to local setups.
Here's the deal: with on-prem Active Directory and Windows Hello for Business, you won't really get the 'choose your MFA method at login' experience that Entra offers. WHfB acts as the strong authentication method itself, and Windows won’t let you pick other options like Authenticator or SMS during login. If multiple MFA choices at the Windows logon screen are a must, consider looking into third-party MFA solutions like Duo for Windows Logon. It allows users to select their method (push, phone, SMS) at the time of login. Otherwise, a common workaround is to avoid logging in as the user; use tools like LAPS or remote management instead.
Right, but I think you're mistaken. TAP is limited to Microsoft services, like Office 365. For local Active Directory setups, you’re out of luck.