I am the CTO for a special needs school using Azure AD to authenticate into Windows/Office 365. I want to be able to create individual student user AD accounts, but the PIN requirement(s) give me pause, as I can't require hundreds of elementary special needs students to authenticate using a mobile device they may not possess. Reached out to @azuresupport and they suggested disabling Multi-Factor Authentication (http://aka.ms/fw9eon), but it already is disabled. Anytime a new user logs in the PIN requirement still appears. Need some assistance on this as I'd like to migrate all of our accounts (admins/faculty/students) to Azure AD over summer break. Thanks!
You can refer to the Gary Henderson response in the following link - https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/10596201-the-possibility-to-disable-two-step-verification
Tried all this - signed up for an Intune trial and went through the process of disabling Windows Hello. Created a new user in Azure AD. Upon first login, it is saying "Your organization requires Windows Hello" and will not allow further setup without a creation of a PIN.
Could you share why you want to turn off PIN setup? We are moving customers off passwords to Windows Hello for Business. If you have to turn it off then you should do that by pushing policy through your MDM. The PassportForWork CSP has a policy for enabling Hello for Business. If you set this to disabled then the you won’t see the PIN prompt during the join. This will not affect auto-join.
You may try using GPO to disable the functionality. https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hello-manage-in-organization