Third-Party MFA Challenge: Seamless Device Enrollment and Authentication with Microsoft Intune

Introduction

Last week during a Microsoft Intune deployment, we found that the third-party MFA and passwordless solution was a stumbling block to deploying a device with Microsoft Intune. It prevented us from logging in with the user as usual during the entire enrollment process with Windows Autopilot. This allowed me to write an article with the solution I’ve implemented. So welcome to my new blog post, Third-Party MFA Challenge: Seamless Device Enrollment and Authentication with Microsoft Intune.

What was the problem?

When we started rolling out the user’s device we encountered the first challenge, the moment the user needed to log on and went through the MFA process, the last thing we got was a blank screen which prevented the MFA authentication from continuing. The result was that no authentication was possible.

Example of login issue during Windows Autopilot Enrollment

So now what? To solve this part, we tried the device enrollment with a Device Enrollment Manager account. This went off without a hitch, but in the end, we ran into a second challenge after a successful Autopilot deployment. The users’ login credentials were not “recognized” during the login process. The cause was that as soon as a user tried to log in with his or her @domain.com account, a redirect was automatically done to the third-party solution’s platform.

Example of an error at Windows login by using third party MFA solutions that 's not compatible

Are we done yet? I don’t think so. The next we tried was enabling Web Sign In for Windows 11 with Microsoft Intune, but this resolved in the same blank screen we got during the Windows Autopilot enrollment.

Example of error when trying to use web login with third party MFA

So we were able to solve or work around this without writing off the third-party solution. Our advice here was to move to the integrated Microsoft MFA solution, but this was not a solution “for now.”

How did we solve this?

To solve the above problem we have used and configured the following:

  • Enable Web Sign In for Windows 11 on the device level with Microsoft Intune
  • Enable Temporary Access Pass for a certain group, in our case all users with an active Intune license (Entra ID dynamic user group)
  • Enable Windows Hello for Business with Microsoft Intune

With the above settings and features enabled, we were able to enroll the device and also made it possible for the user to sign in on his or her device.

Let me show you how we configured this!

The Solution

In this section, we go through all the things we configured to create the solution.

Enable Web Sign In for Windows 11 with Microsoft Intune

First, we are going to make a configuration profile in Microsoft Intune that we are going to assign to a device group. Make sure the affected device is a member of this group.

Go to the Microsoft Intune admin center and sign in with your administrator account, make sure your account has the necessary permissions (Intune Administrator is the least privileged role you need).

Next, go to Devices | Windows | Configuration and create a settings catalog profile for Windows 10 or later. In the Settings picker select the following settings.

Enable the Web Sign In setting and add URLs that need to be Allowed while using Web Sign In.

INFORMATION

To retrieve the URLs that need to be allowed I ran in some error messages trying to use Web Sign In. The affected URL was shown in the error and this was the one I needed to add to the Allowed URLs list.

So this was the first thing we needed to configure. Next up is to enable Temporary Access Pass as an authentication method for our affected users.

Enable Temporary Access Pass as Authentication Method

Temporary Access Pass (TAP) in Microsoft Entra ID is a time-limited passcode that allows users to register passwordless authentication methods and recover access to their accounts without needing a password.

Go to the Microsoft Entra ID admin center and go to Protection | Authentication Methods | Policies and choose Temporary Access Pass.

Now Enable the Temporary Access Pass and assign it to a specific user group. In our case, we’ve assigned it to a dynamic user group based on an active Microsoft Intune license.

So we are now able to create a TAP for any user who is a member of the assigned group.

Enforce Windows Hello for Business at first logon

The last step we need to configure is Windows Hello for Business. This is mandatory as this will be the default login method for the end users on their devices.

We’ve created an Account Protection Policy that will enable the configuration of Windows Hello for Business at first sign-in after the Windows Autopilot enrollment.

Go to the Microsoft Intune admin center, then go to Endpoint Security | Account Protection, and create the following Account Protection policy for enabling Windows Hello for Business. Assign this policy to the same user group you used for enabling TAP.

- Third-Party MFA Challenge

NOTE

Use your own needed settings in the Windows Hello for Business policy. This screenshot is just for example.

Now that everything is prepared for our tenant, it’s ready to test our Windows Autopilot enrollment.

Enrollment Procedure

Let’s start the enrollment! The first thing we need to do is create a Temporary Access Pass for our user.

Create a Temporary Access Pass

Go to the Microsoft Entra ID admin center and go to Users | All users, then select the needed user and go to Authentication methods.

- Third-Party MFA Challenge

Now choose + Add authentication method and choose Temporary Access Pass with the following settings.

- Third-Party MFA Challenge

IMPORTANT
Set the Activation duration to 1 hour, it’s the minimum you can set. If your enrollment is taking longer than one hour and your TAP is expired? Just create a new one and use that one.
Also set One-time use to No, because during the enrollment it could be that you need to authenticate more than once.

Now choose Add and your TAP will be created and shown. Leave this screen open because once you’ve closed it, you can’t see the TAP value anymore and need to create a new one.

- Third-Party MFA Challenge

So now that we got a Temporary Access Pass active for our user, we can start enrolling the device.

Windows Autopilot Enrollment

Boot up your device and make sure your Windows Autopilot setup is working.

On the sign-in page, fill in the username and choose Next.

- Third-Party MFA Challenge

In the next screen, you’ll be asked to enter the Temporary Access Pass. Fill in the Temporary Access Pass and choose Sign in.

- Third-Party MFA Challenge

You’ll notice that the authentication was successful the Enrollment Status Page will be shown.

- Third-Party MFA Challenge

Once the enrollment is done, the Windows 11 login screen will be shown and because we’ve enabled Web Sing In, we are now able to sign in through a web interface. Choose Sign in.

- Third-Party MFA Challenge

A pop-up will appear that will show the Microsoft 365 log-in page. Sign in with the username and choose Next.

- Third-Party MFA Challenge

If your Temporary Access Pass is still active you’ll be asked to enter it. Fill in the Temporary Access Pass and choose Sign in.

- Third-Party MFA Challenge

Your user will now sign-in into Windows 11 and because we’ve enable Windows Hello for Business, the first you’ll be asked to do is to use Windows Hello for Business.

- Third-Party MFA Challenge

Choose OK and create a PIN code (following the PIN requirements)to configure Windows Hello for Business.

Providing PIN code for Windows Hello for Buisness - Third-Party MFA Challenge

If all the requirements for the PIN are met, just choose OK and your PIN code is set and Windows Hello for Business is active. This will be the default sign-in to get access to your device.

The final result, access to the desktop - Third-Party MFA Challenge

Conclusion

So, this is how I solved the Third-party MFA challenge and got everything working. It took a bit more configuration, but in the end, everything is working.
But to be honest I’m not a big fan of third-party federation/MFA solutions with Microsoft 365. It’s always an extra point of failure in your authentication process. So the next step is to convince our customer to transform to the Entra ID MFA, but at least we can now continue the rollout of our Microsoft Intune project, so happy customer = happy me!

I hope this post can be helpful in case you come across a similar challenge. And if you have any questions, suggestions, or remarks, don’t hesitate to contact me.

See you next time! Cheers

Nicky De Westelinck

Nicky De Westelinck is a Modern Workplace Expert for Arxus with several years of experience in Microsoft 365. His main focus is Microsoft Intune and Microsoft 365 Administration. He is also a Microsoft Certified Trainer since 2021.

View all posts by Nicky De Westelinck →