Enforcing MFA for Admins
If 'Require MFA for admins' Conditional Access Policy is enabled, and if the admins device is Hybrid AD Joined since the device has PRT it won't prompt for MFA. Can we enforce MFA only for admin users even if they are Hybrid AD Joined.
Not directly - if using a browser that can not make use of the PRT, like e.g. Firefox, user will get prompted for 2nd factor in this browser session.
Other option would be to use multifactor unlock in Windows Hello to enforce the explicit use of yet another factor for Windows login.
May I ask why this is requested? The PRT does only include the claim when user has in fact verified it is his device by doing MFA during registration - why ask this for a 2nd time?
Receive consultations via Technical Presales and Deployment Services team