Hero Banner

Multi-Factor Authentication (MFA)

Learn and ask questions on how to implement MFA

Level 1 Contributor

Enforcing MFA for Admins

If 'Require MFA for admins' Conditional Access Policy is enabled, and if the admins device is Hybrid AD Joined since the device has PRT it won't prompt for MFA. Can we enforce MFA only for admin users even if they are Hybrid AD Joined.


Not directly - if using a browser that can not make use of the PRT, like e.g. Firefox, user will get prompted for 2nd factor in this browser session. 

Other option would be to use multifactor unlock in Windows Hello to enforce the explicit use of yet another factor for Windows login.


May I ask why this is requested? The PRT does only include the claim when user has in fact verified it is his device by doing MFA during registration - why ask this for a 2nd time?  

Kind regards, Janosch (Note: Leaving role as of March 2023, don't expect further answers. Connect with me via LinkedIn: https://linkedin.com/in/janoschulmer)