qxp1l (qxp1l) asked a question.
Once we have deployed our Windows devices via Intune, users are prompted to setup Windows Hello for Business as we encourage the user of Fingerprint / Face ID for device login. I understand this is classed as a form of MFA by Microsoft and therefore requires another form other than a password. This is understandable and with a Sign in Policy in Okta requiring 2 factors, this can be allowed (Okta MFA to Azure MFA is enabled).
However, the issue with this is we would like to setup a Device Trust based policy structure that only allow Modern Authentication on devices that are registered and managed by Intune (Single factor authentication allowed on managed devices, otherwise, denied). This becomes problematic as the Windows Hello for Business prompt is classed as Modern Auth, therefore triggers a policy which would need 2 factors - this in turn appears to prompt for Okta Verify during the setup of WHfB and cannot be completed as the Okta Verify screen doesn't display over the top of the WHfB screen.
I do not want it so Modern Authentication on our Managed devices requires 2 factors and I do not want users to be able to setup Outlook, Word etc on non Managed devices. Is this possible with a custom expression or possibly with another feature outside the managed devices?
Thanks.
Hello @qxp1l (qxp1l) Thank you for reacting out to our Community!
I believe this can be resolved by using Possession factor in the Sign on Policy for Okta, which would use the Fingerprint/face ID of the device/FiDO2 MFA. For this you can see our doc below:
https://help.okta.com/oie/en-us/content/topics/identity-engine/policies/add-app-sign-on-policy-rule.htm
Please also see our doc on Device trust with Intune which I believe would further help your cause:
https://www.vulongtran.com/how-to-set-up-intune-mdm-okta
Community members help others by clicking Like or Select as Best on responses. Try it today.
Earn Today: New Okta Community Badges Have Arrived
Ask the experts about Okta Privileged Access
Wouldn't this still allow for modern auth on non managed devices and therefore allow for Outlook etc access with simply 2 factors (even if it is limited to Possession factors)?
The only requirement would be to have 2 factors on the WHfB setup.