Hey everyone!
I'm currently tasked with finding a way to implement MFA for our laptops that requires Microsoft Authenticator during user logins. We want to use the Microsoft Authenticator app that's already linked to our users' Entra accounts. However, we've hit a roadblock since Microsoft doesn't support this feature with Windows Hello for Business, and our legal team has firmly restricted any biometric authentication options.
I've been looking into solutions and found that ManageEngine offers a potential fix with their ADSelfService Plus, which I'm currently demoing. But I'm curious if anyone else has experience with similar solutions or different service providers. I've also checked out Duo, but it appears to only work with their authenticator app and not integrate with our Entra ID.
We understand that if users don't have their phones, they can't log in, and the business is fine with that. Since our setup is hybrid and users authenticate with AD credentials, we're planning to transition to Cloud-only later this year. We have around 3,000 users, so it's a big project ahead. Any insights or recommendations would be appreciated!
5 Answers
If the primary requirement is to stay within your existing Microsoft setup, then unfortunately, most third-party options are going to be limited in how they integrate with Entra ID. Duo and ManageEngine are top contenders, but you’re right about the limitations with Duo only using their authenticator app. Keep an eye out because a lot of vendors are now focusing on improving those integrations, especially with Entra.
We’ve switched to miniOrange for MFA on our Windows servers and it’s got the basics covered, but it can be a pain if their services glitch. They did update recently, but now they run various microservices, which can lead to some annoyances. Overall, it’s okay if you need something basic, but might want to look into cloud options for better stability.
What’s the deal with the legal reason behind the ban on biometrics? I mean, Windows Hello for Business with PINs doesn’t necessarily involve biometrics. But if you go with web login, just keep in mind that you’ll need the internet for that. Maybe you should also consider VDI, where users log in via a virtual desktop. It gives you more control, though it could come with some added costs.
Exactly! And make sure users are aware—if they're offline, they’re going to have login challenges.
Duo might actually be exactly what you're looking for. It’s been reliable for us—super straightforward to configure and deploy, and they provide solid support for various setups. Plus, if you have a smaller number of users needing privileged access, they offer a free tier for under 10 seats without any issues. Give it a solid look!
I’ve had a really good experience with Duo too. It just works, and it’s easy to deploy across different environments.
Agreed! It’s very user-friendly, especially for teams that aren’t huge but need good oversight.
Honestly, I’d also suggest checking out using Duo with offline mode for your RDP setup. It’s pretty easy to configure and has worked well for both our laptops and desktops. You're right; it can get tricky in a hybrid environment, but once set up, it’s reliable! Just make sure to test it thoroughly.
That’s a solid approach, especially since you've got users coming in and out. Keeping everything functioning seamlessly will be key!
Duo's offline capabilities might save you some headaches in the long run, especially with those users not always being online.
Sounds like your legal team is just being overly cautious. There are ways around it without storing sensitive data alright, but it does sound like a tough sell.