Forum Discussion

AB21805's avatar
AB21805
Bronze Contributor
Feb 06, 2023

MFA set up so users dont need to authenticate every time at home or on work device

Hi all,   Is it possible to only need to authenticate when using MFA when not using a work device or when a member of staff is at home on their work device?    I have set it to not ask for MFA wh...
admin
azure
azure active directory
azure security
cloud security
Conditional Access
identity and access management
microsoft 365
microsoft defender for endpoint
microsoft intune
mikhailf's avatar
mikhailf
Steel Contributor
Feb 06, 2023

Hello AB21805 ,

"authenticate when using MFA when not using a work device" -> you can build a CA policy using Filter for Devices under Conditions. Choose DeviceOwnership or TrustType. Pay attention that devices should be enrolled in Intune or AzureAD.

"when a member of staff is at home on their work device" -> use Named Locations to set locations where you require MFA.

AB21805's avatar
AB21805
Bronze Contributor
Feb 06, 2023
also if I wanted to require MFA on non intune devices would I exclude or include in the MFA CA policy?

  • mikhailf's avatar
    mikhailf
    Steel Contributor
    Feb 06, 2023

    Hello AB21805,

     

    "What would be the best way to get them registered?" - this should be the best way for you. If you have 30-40 users with a list of devices you can talk to each other and enroll all of them manually. If you have a local AD environment and all workstations connected to it, you can use a GPO to enroll workstations to AAD and Intune. 

     

    "I wanted to require MFA on non intune devices would I exclude or include in the MFA CA policy" -> there should be a policy that Grant Access, Requires MFA, and applied for devices that have property "isCompliant Not equals True" AND "isCompliant Not equals False". 

    • AB21805's avatar
      AB21805
      Bronze Contributor
      Feb 06, 2023

      Hi mikhailf 

       

      So if I included all locations and excluded office ips:

       

       

      Grant access but MFA 

       

      Also set filter for devices like so:

       

       

      Will this then only ask those for are not on a intuned company device for MFA when signing into all cloud apps? 

       

       

      • mikhailf's avatar
        mikhailf
        Steel Contributor
        Feb 06, 2023
        With locations you are right. In this case, users, who are connecting from office IPs will not require to perform MFA.
        For devices that are not enrolled in Intune, I would create an additional Conditional Access policy.
        Grant + Require MFA for All devices that have property "isCompliant Not equals True" AND "isCompliant Not equals False".
    • AB21805's avatar
      AB21805
      Bronze Contributor
      Feb 06, 2023
      Hi,

      Thanks for this, for the register part I mean these users who are not MFA registered yet so they have no authentication method set what would be best way to get them registered to MFA so they have a method registered. I was thinking send out: https://aka.ms/mfasetup

Resources