cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Bypassing MFA during device enrolment when using per-user MFA

ethanchal
Copper Contributor

‎Feb 01 2023 10:59 AM

‎Feb 01 2023 10:59 AM

Bypassing MFA during device enrolment when using per-user MFA

Hi all,

 

I have a customer that is currently using legacy MFA (per user) set to enforced and already configured for all users.

 

They are piloting an Intune deployment but have hit a snag when it comes to Android enrolment as when signing in for the first time this requires the user to verify their identity with a MFA SMS code. However, when the device is in this provisioning stage the device cannot not receive SMS messages therefore the MFA request (and enrolment) cannot be completed without the help of a second device. Which isn't always an option.

 

I'm aware you can solve this by moving over to Azure MFA with CA policies that exclude Intune Enrolment but this isn't practical for them right now.

 

Is there an alternative way to prevent an MFA request during the device enrolment process when using Legacy MFA? 

Labels:
2,689 Views
0 Likes
3 Replies
Reply
3 Replies
Moe_Kinani

‎Feb 01 2023 05:16 PM - edited ‎Feb 01 2023 05:17 PM

‎Feb 01 2023 05:16 PM - edited ‎Feb 01 2023 05:17 PM

Re: Bypassing MFA during device enrolment when using per-user MFA

What kind of Android Enrollment your customers is using?

I would recommend using Corporate Owned Dedicated Devices (Company Owned Devices), it should enroll via Bar Code with no need to sign in. 

Moe

https://www.inthecloud247.com/how-to-start-with-android-enterprise-corporate-owned-dedicated-devices...

0 Likes
Reply
ethanchal

‎Feb 02 2023 07:34 AM

‎Feb 02 2023 07:34 AM

Re: Bypassing MFA during device enrolment when using per-user MFA

Hi Moe, thanks for your reply.

They are using Corporate Owned Fully Managed at the moment and handing devices out to clients for access to M365 apps. I will look further into Dedicated Devices but do you envisage any obvious challenges when it comes to typical day-to-day usage of this enrolment approach when the device will be used for personal use and not kiosk-type scenarios?

The only other option we've come up with is to manually disable MFA during enrolment and re-enable it afterward.

Thanks
Ethan
0 Likes
Reply
best response confirmed by ethanchal (Copper Contributor)
Moe_Kinani

‎Feb 02 2023 07:41 AM - edited ‎Feb 02 2023 07:44 AM

‎Feb 02 2023 07:41 AM - edited ‎Feb 02 2023 07:44 AM

Solution

Re: Bypassing MFA during device enrolment when using per-user MFA

No challenges, very similar to the old device administrator enrolment. I just rolled out for users don’t like personal profiles.

Sorry, I’m against disabling MFA or making exclusion for users or apps.

Moe

 

https://youtu.be/-JqMjUf-dcA

0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by ethanchal (Copper Contributor)
Moe_Kinani

‎Feb 02 2023 07:41 AM - edited ‎Feb 02 2023 07:44 AM

‎Feb 02 2023 07:41 AM - edited ‎Feb 02 2023 07:44 AM

Solution

Re: Bypassing MFA during device enrolment when using per-user MFA

No challenges, very similar to the old device administrator enrolment. I just rolled out for users don’t like personal profiles.

Sorry, I’m against disabling MFA or making exclusion for users or apps.

Moe

 

https://youtu.be/-JqMjUf-dcA

View solution in original post

0 Likes
Reply