Thanks for the feedback. We’ve been reviewing this to improve the first logon experience, will update the status of this suggestion when we finalize the plan
RaviDavid Hart commented
If you enable SSPR access from the GINA login screen on Windows 10, your users can reset their passwords when they're expired prior to logon
80 votes17 comments · Azure Active Directory » Multi-factor Authentication · Flag idea as inappropriate… · Admin →David Hart commented
This can be easily implemented by having a conditional access policy that enforces MFA, tied to an Azure AD Security Group.
Turn on AAD Self Service Group Management for that group, and allow users to request to join it.
We’re currently working on this capability and will provide an update when it’s done.
However, instead of expanding the “Additional Local administrators” setting, we will support adding AAD groups to Windows 10 local groups (.e.g Administrators, Remote Desktop Users) via MDM policy and elevate user privileges on logon. This will provide greater flexibility to assign different groups to different devices
3 votesDavid Hart shared this idea ·