Versions Compared

Old Version 3

changes.mady.by.user Adam Darwin

Saved on

compared with

New Version Current

changes.mady.by.user Adam Darwin

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Computer Logon for Entra ID supports many MFA scenarios, including

  • MFA for both Entra ID (Azure AD) domain users and local users. 
  • MFA at bootup login, screen unlock, and elevated access
  • MFA when PC is online & offline

For each scenario, it provides a separate set of options that allow you to control whether or not  MFA is required, and the frequency of MFA requirement etc.

Those options are in the "domain_policy.json" file.

Expand
Code Block
themeEclipse
{
    "local": {
        "offline": {
            "MfaPolicy": {
                "loginMfa.enable": false,
                "loginMfa.skipHoursLastMfa": 0,
                "uacMfa.enable": false,
                "uacMfa.skipHoursLastMfa": 0,
                "uacMfa.skipMinutesLastUac": 0,
                "unlockMfa.enable": false,
                "unlockMfa.skipHoursLastMfa": 0,
                "unlockMfa.skipMinutesLastLock": 0
            },
            "OtpPolicy": {
                "PinEnabled": false,
                "TotpTolerance": 1,
                "TotpAutoSync": true,
                "HotpTolerance": 5,
                "HotpAutoSync": true
            }
        }
    },

    "azuread": {
        "online": {
            "MfaPolicy": {
                "loginMfa.enable": true,
                "loginMfa.skipHoursLastMfa": 0,
                "uacMfa.enable": false,
                "uacMfa.skipHoursLastMfa": 0,
                "uacMfa.skipMinutesLastUac": 0,
                "unlockMfa.enable": false,
                "unlockMfa.skipHoursLastMfa": 0,
                "unlockMfa.skipMinutesLastLock": 0
            }
        },
        "offline": {
            "MfaPolicy": {
                "loginMfa.enable": false,
                "loginMfa.skipHoursLastMfa": 0,
                "uacMfa.enable": false,
                "uacMfa.skipHoursLastMfa": 0,
                "uacMfa.skipMinutesLastUac": 0,
                "unlockMfa.enable": false,
                "unlockMfa.skipHoursLastMfa": 0,
                "unlockMfa.skipMinutesLastLock": 0
            },
            "OtpPolicy": {
                "PinEnabled": false,
                "TotpTolerance": 1,
                "TotpAutoSync": true,
                "HotpTolerance": 5,
                "HotpAutoSync": true
            }
        }
    }
}



Options for Local Users

Image Added



onlineoffline
bootup login
local\offline\MfaPolicy\loginMfa
screen unlock
local\offline\MfaPolicy\unlockMfa
elevated access
local\offline\MfaPolicy\uacMfa


Options for Domain Users

Image Added


onlineoffline
bootup loginazuread\online\MfaPolicy\loginMfaazuread\offline\MfaPolicy\loginMfa
screen unlockazuread\online\MfaPolicy\unlockMfaazuread\offline\MfaPolicy\unlockMfa
elevated accessazuread\online\MfaPolicy\uacMfaazuread\offline\MfaPolicy\uacMfa


If you wish to customise some of those options, then you need to edit the "domain_policy.json" file in a text editor and change the corresponding options. 

For instances

  • if you want to enforce MFA for Azure AD domain users when PC is online on screen unlock, then you need to set the option "azuread\online\MfaPolicy\unlockMfa" to "true"
  • if you want to enforce MFA for local users when PC is online on screen unlock, then you need to set the option "local\online\MfaPolicy\unlockMfa" to "true"


Expand
titleSet up policy options for offline MFA for domain users...

Include Page
Set up policy options for offline MFA for domain users
Set up policy options for offline MFA for domain users


Expand
titleSet up policy options for offline MFA for local users...

Include Page
Set up policy options for offline MFA for local users
Set up policy options for offline MFA for local users

azure

...