Implementing Windows Hello for Business, SSPR, Password Protection, and MFA in Microsoft 365

Implementing Windows Hello for Business, SSPR, Password Protection, and MFA in Microsoft 365

Passwords used to be the main way we protected user accounts. Today, they are often the weakest link.

Users forget them, reuse them, write them down, or fall for phishing emails. Attackers know this and target passwords all the time. To fix this, Microsoft 365 and Entra ID give us better tools: Windows Hello for Business, self-service password reset (SSPR), password protection, and multifactor authentication (MFA).

In this post, we’ll walk through:

  • Why passwords alone are not enough
  • What Windows Hello for Business is and how to configure it using Intune
  • How to enable and configure SSPR
  • How password protection helps block weak passwords
  • How to define and enforce MFA methods, including Conditional Access
  • A short FAQ at the end

Why Passwords Are Not Enough

On paper, strong passwords are secure. In real life, they cause problems:

  • Hard to remember
    Long, complex passwords lead to constant lockouts and support tickets.
  • Bad storage habits
    Users write them on sticky notes, save them in plain text, or reuse them across sites.
  • Easy to steal and reuse
    Phishing, keyloggers, and credential dumps make it easy for attackers to capture passwords. Once they have a password, they can often use it from any device, anywhere.

We need sign-in methods that:

  • Are easier for users
  • Are resistant to phishing
  • Tie authentication to specific devices or strong factors

That’s where Windows Hello for Business, SSPR, password protection, and MFA come in.

Windows Hello for Business

What Is Windows Hello for Business?

Windows Hello for Business replaces passwords with:

  • A PIN, and/or
  • Biometric sign-in (face or fingerprint)

The key difference: the PIN or biometric is tied to a specific device and backed by cryptographic keys in the device’s trusted hardware (TPM). Even if someone knows the account password, they cannot use that PIN on another machine.

Users can use Windows Hello for Business to sign in to:

  • Windows 11 devices
  • Apps and enterprise content
  • Online authentication providers

Why Use Windows Hello?

Some core benefits:

  • Protection against credential theft
    Keys stay on the device. Attackers cannot simply reuse a password elsewhere.
  • Phishing resistant
    An attacker can’t steal your fingerprint or face with a fake login page.
  • Cloud-only and hybrid support
    Works with Entra ID cloud-only tenants and hybrid environments with on-premises AD.
  • Fast sign-in
    User opens the laptop → camera recognizes them → they’re in. Simple experience, less friction.

Configuring Windows Hello for Business with Intune

You can configure Windows Hello for Business centrally using Microsoft Intune.

Step 1: Create an Account Protection Policy

  1. Go to the Microsoft Intune admin center.
  2. In the left menu, select Endpoint security.
  3. Click Account protection.
  4. Select Create Policy.
  5. Platform: Windows 10 and later.
  6. Profile: Account protection.
  7. Click Create and give the policy a name, for example:
    WHfB – Sales Users or Windows Hello for Business – Corp Devices.

Step 2: Optional – Enable Device Guard / Credential Guard

Within the same policy, you can also configure sign-in security features like Credential Guard.

  • Enable Device Guard / Credential Guard (for example, Enable with UEFI lock).
  • This helps protect credentials stored in memory (like NTLM hashes and Kerberos tickets).

This is not required for Windows Hello for Business but is a good security add-on.

Step 3: Configure Windows Hello for Business Settings

In the Windows Hello for Business section of the policy, configure:

  • PIN recovery
    Allow users to reset or recover their PIN if they forget it.
  • PIN history
    Prevent users from reusing the same PIN over and over.
  • PIN complexity
    Set:
    • Minimum and maximum PIN length
    • Whether to require digits, lowercase, uppercase, and special characters

You can configure both:

  • Device-based settings
    Apply to anyone who signs into that specific device.
  • User-based settings
    Follow the user, regardless of which managed device they sign into.

If you leave a setting as Not configured, it uses the default behavior. For example, some defaults do not allow special characters in the PIN. It’s safer to explicitly set the options you want.

Step 4: Assign the Policy

  1. Click Next until you reach Assignments.
  2. Assign the policy to a user group or device group (for example, Sales, IT, or All Windows 11 Devices).
  3. Optionally apply assignment filters (e.g., only laptops, only specific builds).
  4. Review and click Create or Save.

Once devices check in with Intune, users will be prompted to set up Windows Hello for Business based on your policy.

Self-Service Password Reset (SSPR)

Self-service password reset (SSPR) lets users reset or unlock their passwords without calling IT.

This reduces support tickets and helps users recover access quickly and securely.

Enabling SSPR

  1. Go to Microsoft Entra admin center.
  2. In the navigation, select Users.
  3. Click Password reset.

Under Properties, choose:

  • None – SSPR disabled
  • Selected – Only specific users/groups can use SSPR
  • All – All users in the tenant can use SSPR

Most organizations will enable SSPR for All users once they are ready.

Configuring Methods (SSPR + MFA)

Previously, SSPR and MFA used separate method settings. Now, Microsoft uses converged authentication methods.

This means:

  • You configure which methods are available under Authentication methods.
  • These methods are used by both SSPR and MFA.

Common methods you can enable:

  • Microsoft Authenticator app
  • SMS text message
  • Voice call
  • Email one-time passcode
  • Certificate-based authentication
  • Temporary Access Pass
  • Other supported modern methods

In the SSPR section, you also:

  • Choose how many methods are required to reset a password (e.g., 1 or 2).
  • Choose which of the allowed methods users can use for SSPR.

Good practice:
Always include at least one method that does not require the user’s smartphone, in case the phone is lost or broken.

Entra ID Password Protection

Entra ID password protection blocks weak and predictable passwords, even for on-premises accounts if you integrate it with AD.

Global Banned Password List

Microsoft maintains a global banned password list, which includes:

  • Common passwords (e.g., “Password123”)
  • Variations attackers often use
  • Common patterns and words

This list is maintained and updated by Microsoft and applied when password protection is enabled.

Custom Banned Password List

You can add up to 1000 custom banned passwords, such as:

  • Variations on your company name
  • Common internal terms or product names
  • Local phrases you know users will try to use

Admins can choose:

  • Use only the global list (default), or
  • Use the global list + custom list

Configuring Password Protection

  1. In the Entra admin center, go to Authentication methods.
  2. Select Password protection.
  3. Configure:
    • Smart lockout threshold – how many failed attempts trigger lockout.
    • Lockout duration in seconds – how long the account is locked out.
    • Banned passwords – use only Microsoft’s list or add your own custom list.
  4. If using custom banned passwords, paste them into the provided field.
  5. Click Save.

For many organizations, the global list is enough. Custom entries help if users keep picking passwords based on your company name, local sports team, or other easy guesses.

Multifactor Authentication (MFA)

MFA adds an extra layer of security by requiring two or more of:

  • Something you know – password or PIN
  • Something you have – device, phone, security key, smart card
  • Something you are – biometric (face, fingerprint)

Example: at an ATM, you need:

  • The card (something you have)
  • The PIN (something you know)

Same idea for Microsoft accounts.

MFA Methods in Microsoft 365 / Entra ID

Common MFA combinations:

  • Password + Microsoft Authenticator push notification
  • Password + SMS one-time code
  • Password + hardware token / FIDO2 key
  • Windows Hello for Business (device + biometric/PIN)

Windows 11 supports:

  • PIN
  • Biometric (face/fingerprint)
  • Certificates (e.g., smart card or USB device)

Configuring Allowed MFA Methods

  1. Go to Authentication methods in Entra admin center.
  2. For each method (e.g., Microsoft Authenticator, SMS, FIDO2 security keys, etc.):
    • Turn it On.
    • Scope it to All users or specific groups.

Remember:
Users should have at least two methods configured so they are not locked out if one method fails.

Enabling and Enforcing MFA for Users

You can enable MFA in two main ways:

  1. Per-user MFA
  2. Conditional Access–based MFA (recommended)

Per-User MFA

This is the older, simpler method.

  1. In Entra admin center, go to Users.
  2. Click Per-user MFA (top bar).
  3. On the Users tab, you can:
    • See who has MFA enabled/enforced.
    • Enable MFA for specific users.

In Service settings, you can also allow users to:

  • “Remember MFA on trusted devices” for a number of days (e.g., 7 or 14 days).

This reduces repeated prompts on the same device. In a lab tenant, some admins set a very high number (like 365 days) to avoid constant prompts, but that is not a good idea for production.

Conditional Access–Based MFA (Preferred)

Conditional Access lets you require MFA only when needed.

For example, you can require MFA when:

  • Users access sensitive apps (Exchange, SharePoint, Teams, admin portals).
  • Users sign in from outside the corporate network.
  • Device is non-compliant or unknown.
  • User risk or sign-in risk is high.

Basic setup:

  1. Go to Protection > Conditional Access in Entra admin center.
  2. Create a new policy.
  3. Assign:
    • Users or groups.
    • Cloud apps (e.g., “All cloud apps” or a subset).
  4. Configure conditions (locations, device platforms, risk, etc.).
  5. Under Access controls > Grant:
    • Select Grant access.
    • Check Require multifactor authentication.
  6. Turn the policy On after testing.

This gives you much more control than simple per-user MFA and is the preferred approach for modern deployments.

Putting It All Together

Here’s a simple rollout plan for a modern, secure identity setup:

  1. Enable Windows Hello for Business
    • Configure WHfB in Intune with an Account protection policy.
    • Enforce reasonable PIN complexity and allow biometrics where supported.
  2. Turn on SSPR
    • Enable for All users (when ready).
    • Require one or two methods.
    • Make sure there’s at least one non-phone option.
  3. Configure Password Protection
    • Use Microsoft’s global banned password list.
    • Add custom banned passwords if needed.
    • Set smart lockout thresholds and durations.
  4. Define Authentication Methods
    • Enable Microsoft Authenticator, security keys, SMS, etc. under Authentication methods.
    • Scope methods to groups if you want more control.
  5. Require MFA via Conditional Access
    • Start with key applications and admin access.
    • Expand as you test and monitor.
  6. Educate Users
    • Explain the difference between passwords and Windows Hello PINs.
    • Show how to enroll and use Windows Hello.
    • Show how to use SSPR instead of calling the help desk every time.

This approach improves security and reduces friction for users and admins.

FAQ

Q1. Is a Windows Hello PIN really more secure than a password?
Yes. The PIN is tied to the device and backed by keys in the TPM. Even if someone learns your PIN, they cannot use it on another machine. It also supports additional protections like anti-hammering (blocking repeated attempts).

Q2. Do I still need passwords if I use Windows Hello for Business?
In most environments, yes, at least as a backup. But Windows Hello for Business is designed to make day-to-day sign-ins passwordless. Over time, you can move toward more passwordless scenarios using WHfB, FIDO2 keys, and Conditional Access.

Q3. What happens if a user loses their phone and can’t do MFA?
This is why you should configure multiple methods and SSPR. Admins can issue a Temporary Access Pass or help the user register new methods. Users can also use other configured methods like email OTP, security key, or Windows Hello.

Q4. Is the global banned password list enough, or should I add custom banned passwords?
For many tenants, the global list is enough. However, if users often pick passwords based on your company name, products, or local terms, it’s a good idea to add these to your custom banned list.

Q5. Should I use per-user MFA or Conditional Access?
Per-user MFA is simple but limited. Conditional Access is the modern, recommended way. It lets you require MFA based on risk, app sensitivity, device compliance, and other conditions, which gives you better security and user experience.

LinkedInCopyPinterestRedditTelegramChatGPTSMS

Related Posts

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by