MFA Shall be required for Intune Enrollment

Description

You can use Intune together with Azure Active Directory (Azure AD) conditional access policies to require multifactor authentication (MFA) during device enrollment. If you require MFA, employees and students wanting to enroll devices must first authenticate with a second device and two forms of credentials. We do not want unauthorized users joining devices to our network.

Policy

• MFA Shall be required to enroll devices into Intune

Licensing Considerations

This setting requires at least an Azure AD P1 license which comes standalone or as part of the following bundles:

EMS+E3/E5
Microsoft 365 Business Premium
Microsoft 365 E3
Microsoft 365 E5

Set-Up Instructions

Require multifactor authentication for Intune device enrollment - Microsoft Intune | Microsoft Learn

End-User Impact

Level: Medium

Users must satisfy the MFA prompt in order to be able to successfully enroll a device. For users signing in for the very first time who have not configured MFA methods, a temporary access pass can be used: Configure a Temporary Access Pass in Azure AD to register Passwordless authentication methods - Microsoft Entra | Microsoft Learn

Tips

For users signing in for the very first time who have not configured MFA methods, a temporary access pass can be used: Configure a Temporary Access Pass in Azure AD to register Passwordless authentication methods - Microsoft Entra | Microsoft Learn

PowerShell Scripts

azure-ad-conditional-access-apis/readme.md at main · Azure-Samples/azure-ad-conditional-access-apis (github.com)

Videos

PreviousNoncompliant devices shall be blocked from accessing corporate resources NextSecurity Baselines should be configured for Windows Devices

Last updated 10 months ago