Forum Discussion
Solved
Can I improve user experience of Azure MFA?
Hi all, We have not that long ago enabled Azure MFA via conditional access to the most important users in the company. At the time of deployment it got thrown in with probably little appreciation...
- Yes, this is possible.
So you can use the 'require compliant device' if your devices is fully Intune managed and not added to an on-prem domain. So this means AAD joined W10, Android, iOS and MacOs
If your W10 computers are currently on-prem, I would advise you to hybrid join them. That way they are joined to AD and AAD at the same time
I usually keep it an 14 days. This is a good middle ground between security and user friendlyness
It's not overkill to include all cloud apps.
I would however, advise you to exclude all compliant/hybrid joined devices. If you set it up like this, your users will not receive MFA prompts when they are on a corporate computer
It's not overkill to include all cloud apps.
I would however, advise you to exclude all compliant/hybrid joined devices. If you set it up like this, your users will not receive MFA prompts when they are on a corporate computer
Thijs Lecomte I actually did think that perhaps 14 days would be good.
We have not as of yet done any hybrid join other than a select few machines from IT.
This certainly makes a case for it. Do you know how that works with android and ipads that are in Intune as fully supervised devices?
- Yes, this is possible.
So you can use the 'require compliant device' if your devices is fully Intune managed and not added to an on-prem domain. So this means AAD joined W10, Android, iOS and MacOs
If your W10 computers are currently on-prem, I would advise you to hybrid join them. That way they are joined to AD and AAD at the same timeThijs Lecomte Thank you, I got some ideas now actually to make it better. will take this to my manager. thank you.