MFA Shall be required for Intune Enrollment
Description
You can use Intune together with Azure Active Directory (Azure AD) conditional access policies to require multifactor authentication (MFA) during device enrollment. If you require MFA, employees and students wanting to enroll devices must first authenticate with a second device and two forms of credentials. We do not want unauthorized users joining devices to our network.
Policy
• MFA Shall be required to enroll devices into Intune
Licensing Considerations
This setting requires at least an Azure AD P1 license which comes standalone or as part of the following bundles:
EMS+E3/E5
Microsoft 365 Business Premium
Microsoft 365 E3
Microsoft 365 E5
Set-Up Instructions
Require multifactor authentication for Intune device enrollment - Microsoft Intune | Microsoft Learn
End-User Impact
Level: Medium
Users must satisfy the MFA prompt in order to be able to successfully enroll a device. For users signing in for the very first time who have not configured MFA methods, a temporary access pass can be used: Configure a Temporary Access Pass in Azure AD to register Passwordless authentication methods - Microsoft Entra | Microsoft Learn
Tips
For users signing in for the very first time who have not configured MFA methods, a temporary access pass can be used: Configure a Temporary Access Pass in Azure AD to register Passwordless authentication methods - Microsoft Entra | Microsoft Learn
PowerShell Scripts
Videos
Last updated