<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D54z000078djYsCAIOkta Classic EngineAdministrationAnswered2024-04-30T09:39:32.000Z2021-08-27T13:57:00.000Z2021-09-02T08:35:49.000Z

yqds0 (yqds0) asked a question.

August 27, 2021 at 1:57 PM
How to enroll a Windows device on a federated Azure domain with MFA activated?

Hi, A new employee is coming newt week, and I'd like to know what the proper process to enroll his device to Azure is, given the fact that:

- Our Azure tenant is federated by Okta, with MFA enabled

- Windows authentication at first start is NOT working (because of legacy auth, which can be circumvented with an excpetion sign-on policy) and the process requires a user who's not there yet to enroll

  • 4 answers
  • 990 views

  • 6mjmq (6mjmq)

    Hi Charles,

     

    We have a fair amount of documentation floating around on joining devices to Azure:

    Using Okta for Hybrid Microsoft AAD Join

    Okta support for hybrid Azure AD joined devices

     

    Details here are a little vague, but take a look at the links above and let me know if that's generally what you're looking for. If you're following some other documentation (or have a process other users have been following) let me know what that is and what changes you're concerned about and I'll take a look.

     

    Isaiah, Okta.

     

    Expand Post

  • yqds0 (yqds0)

    Hi Isaiah,

    Thanks for your answer, but no, it does not.

    After many tinkling and exchanges with the support, here is the solution (Aurelie is the name of a fictive new employee):

     

    For the first issue, "Windows authentication launches an Okta authentication window, which fails unless I allow legacy Authentication for that user: is that the mandatory way? There is no doc about that issue whatsoever and I had to find that solution myself.", for the device that is not yet enrolled in Azure AD, you can use Okta MFA to add an extra security layer to the enrollment, a step that you have already followed. The legacy authentication is mandatory as the Azure AD joined devices running Windows 10 use the WINLOGON service, and MFA can’t be enforced on legacy authentication requests.

    As for the second issue,  "Aurelie is not there yet, so Okta Verify or SMS shouldn't be an option. How should we do?", as the OV and the SMS are not configured, and also you do not have access to her email to setup email as a factor, I recommend to setup the Okta Verify to enroll the device, and when Aurelie is starting, just to reset the MFA for her account and then she can enroll for Okta Verify with her phone.  

     

    Expand Post

  • ChrisS.27252 (Customer)

    We had the same issue. Create a Sign-On rule and use Windows-AzureAD-Authentication-Provider/1.0 as a custom string. You may have to have custom strings turned on for you by support, I can't recall exactly. That traffic is the enrollment traffic prior to user log interaction.

  • yqds0 (yqds0)

    Thanks Chris for your answer!

Loading
How to enroll a Windows device on a federated Azure domain with MFA activated?