While comparing the domain join experience when joining an Azure Active Directory domain to the experience when joining a ‘regular’ on-premise domain, I noticed the AAD joined machine prompted me to setup a PIN for login purposes.
Of course, I wanted to check if this was also possible on my on-premise joined machine, but -alas- all options related to this ( Settings -> Accounts -> Sign-in options) were greyed out….
Luckily, a quick google search later, I found this technet thread explaining that all that was needed to re-enable this was a simple registry entry:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System] "AllowDomainPINLogon"=dword:00000001