Tech Community Live: Microsoft Intune
Jun 22 2023, 07:30 AM - 11:30 AM (PDT)
Microsoft Tech Community
SOLVED

Bypassing MFA during device enrolment when using per-user MFA

Occasional Contributor

Hi all,

 

I have a customer that is currently using legacy MFA (per user) set to enforced and already configured for all users.

 

They are piloting an Intune deployment but have hit a snag when it comes to Android enrolment as when signing in for the first time this requires the user to verify their identity with a MFA SMS code. However, when the device is in this provisioning stage the device cannot not receive SMS messages therefore the MFA request (and enrolment) cannot be completed without the help of a second device. Which isn't always an option.

 

I'm aware you can solve this by moving over to Azure MFA with CA policies that exclude Intune Enrolment but this isn't practical for them right now.

 

Is there an alternative way to prevent an MFA request during the device enrolment process when using Legacy MFA? 

3 Replies

What kind of Android Enrollment your customers is using?

I would recommend using Corporate Owned Dedicated Devices (Company Owned Devices), it should enroll via Bar Code with no need to sign in. 

Moe

https://www.inthecloud247.com/how-to-start-with-android-enterprise-corporate-owned-dedicated-devices...

Hi Moe, thanks for your reply.

They are using Corporate Owned Fully Managed at the moment and handing devices out to clients for access to M365 apps. I will look further into Dedicated Devices but do you envisage any obvious challenges when it comes to typical day-to-day usage of this enrolment approach when the device will be used for personal use and not kiosk-type scenarios?

The only other option we've come up with is to manually disable MFA during enrolment and re-enable it afterward.

Thanks
Ethan
best response confirmed by ethanchal (Occasional Contributor)
Solution

No challenges, very similar to the old device administrator enrolment. I just rolled out for users don’t like personal profiles.

Sorry, I’m against disabling MFA or making exclusion for users or apps.

Moe

 

https://youtu.be/-JqMjUf-dcA

In this video we see how to enroll corporate owned fully manged android user device using QR code