Home

Automatic enrolment in to Intune and MFA using MS Authenticator

%3CLINGO-SUB%20id%3D%22lingo-sub-994199%22%20slang%3D%22en-US%22%3EAutomatic%20enrolment%20in%20to%20Intune%20and%20MFA%20using%20MS%20Authenticator%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-994199%22%20slang%3D%22en-US%22%3E%3CP%3Ehi%20all%3C%2FP%3E%3CP%3EAnother%20question.%20So%2C%20we%20are%20starting%20to%20go%20down%20the%20MFA%20and%20Intune%20route%20and%20need%20some%20help.%3C%2FP%3E%3CP%3EWe%20are%20using%20the%20MS%20Authenticator%20App%20on%20our%20mobile%20phone%20fleet%20(iPhone)%20and%20have%20run%20in%20to%20a%20curly%20issue.%20We%20use%20Apple%20DEP%20so%20that%20as%20soon%20as%20a%20new%20phone%2C%20or%20existing%20iphone%20is%20wiped%20it%20automatically%20downloads%20the%20company%20portal%20app%2C%20runs%20it%20and%20prompts%20the%20user%20to%20log%20in%20with%20their%20email%20address.%3C%2FP%3E%3CP%3EOur%20issue%20is%20that%20if%20that%20user%20has%20MFA%20configured%20they%20are%20NOT%20able%20to%20get%20past%20the%20point%20where%20they%20either%20have%20to%20go%20to%20the%20MS%20Authenticator%20app%20to%20approve%2C%20try%20the%20TXT%20method%20or%20phone%20call%20(you%20can%20see%20the%20call%20showing%20but%20you%20are%20unable%20to%20actually%20accept%20the%20call).%3C%2FP%3E%3CP%3EThe%20only%20way%20we%20have%20found%20to%20get%20around%20this%20is%20to%20disable%20the%20users%20MFA%20in%20the%20O365%20admin%20portal%2C%20get%20them%20to%20sign%20in%20to%20the%20company%20portal%20app%20on%20their%20phone%20to%20complete%20the%20enrolment%20then%20reenable%20their%20MFA%20and%20get%20them%20to%20re%20do%20the%20MFA%20process.%3C%2FP%3E%3CP%3EIs%20the%20above%20correct%20or%20are%20we%20missing%20something%20obvious%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-994199%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Device%20Management%20(MDM)%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-994372%22%20slang%3D%22en-US%22%3ERe%3A%20Automatic%20enrolment%20in%20to%20Intune%20and%20MFA%20using%20MS%20Authenticator%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-994372%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3ECurrently%2C%20MFA%20doesn't%20work%20during%20enrollment%20on%20DEP%20devices%2C%20and%20the%26nbsp%3Bsolution%20is%20to%20disable%20MFA%2C%20and%20then%20re-enroll%20the%20device.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EMore%20information%20from%20the%26nbsp%3BTroubleshoot%20iOS%20device%20enrollment%20problems%20page%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fintune%2Fenrollment%2Ftroubleshoot-ios-enrollment-errors%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fintune%2Fenrollment%2Ftroubleshoot-ios-enrollment-errors%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EBut%2C%20there%20are%20other%20scenarios%20(new%20ones)%20that%20allow%20Intune%20skips%20user%20authentication%20through%26nbsp%3Bthe%20iOS%20Setup%20Assistant%20and%2C%20instead%2C%20uses%26nbsp%3Bmodern%20authentication%2C%20and%20it%20depend%20on%20your%20scenario.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-gb%2Fhelp%2F4493320%2Fcannot-access-company-resources-on-a-dep-device%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.microsoft.com%2Fen-gb%2Fhelp%2F4493320%2Fcannot-access-company-resources-on-a-dep-device%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
meravensdown
New Contributor

hi all

Another question. So, we are starting to go down the MFA and Intune route and need some help.

We are using the MS Authenticator App on our mobile phone fleet (iPhone) and have run in to a curly issue. We use Apple DEP so that as soon as a new phone, or existing iphone is wiped it automatically downloads the company portal app, runs it and prompts the user to log in with their email address.

Our issue is that if that user has MFA configured they are NOT able to get past the point where they either have to go to the MS Authenticator app to approve, try the TXT method or phone call (you can see the call showing but you are unable to actually accept the call).

The only way we have found to get around this is to disable the users MFA in the O365 admin portal, get them to sign in to the company portal app on their phone to complete the enrolment then reenable their MFA and get them to re do the MFA process.

Is the above correct or are we missing something obvious?

1 Reply
Highlighted

Currently, MFA doesn't work during enrollment on DEP devices, and the solution is to disable MFA, and then re-enroll the device.

More information from the Troubleshoot iOS device enrollment problems page https://docs.microsoft.com/en-us/intune/enrollment/troubleshoot-ios-enrollment-errors

 

But, there are other scenarios (new ones) that allow Intune skips user authentication through the iOS Setup Assistant and, instead, uses modern authentication, and it depend on your scenario.

https://support.microsoft.com/en-gb/help/4493320/cannot-access-company-resources-on-a-dep-device

Related Conversations
MacOS FileVault disk encryption management
Ritesh1265 in Microsoft Intune on
0 Replies
App Protection for new Office App for ios
Kevin Wheeler in Microsoft Intune on
3 Replies
0x87D13B9F App Install Error
Stuart King in Microsoft Intune on
5 Replies
Autopilot and sccm issue
zolabus in Microsoft Intune on
1 Replies
Unable to deploy built-in apps with Intune
Bob Manjoney in Microsoft Intune on
5 Replies
Users having to enter Passcode twice on iOS
Stuart King in Microsoft Intune on
2 Replies