Bypassing MFA during device enrolment when using per-user MFA

Copper Contributor

Hi all,


I have a customer that is currently using legacy MFA (per user) set to enforced and already configured for all users.


They are piloting an Intune deployment but have hit a snag when it comes to Android enrolment as when signing in for the first time this requires the user to verify their identity with a MFA SMS code. However, when the device is in this provisioning stage the device cannot not receive SMS messages therefore the MFA request (and enrolment) cannot be completed without the help of a second device. Which isn't always an option.


I'm aware you can solve this by moving over to Azure MFA with CA policies that exclude Intune Enrolment but this isn't practical for them right now.


Is there an alternative way to prevent an MFA request during the device enrolment process when using Legacy MFA? 

3 Replies

What kind of Android Enrollment your customers is using?

I would recommend using Corporate Owned Dedicated Devices (Company Owned Devices), it should enroll via Bar Code with no need to sign in. 


Hi Moe, thanks for your reply.

They are using Corporate Owned Fully Managed at the moment and handing devices out to clients for access to M365 apps. I will look further into Dedicated Devices but do you envisage any obvious challenges when it comes to typical day-to-day usage of this enrolment approach when the device will be used for personal use and not kiosk-type scenarios?

The only other option we've come up with is to manually disable MFA during enrolment and re-enable it afterward.

best response confirmed by ethanchal (Copper Contributor)

No challenges, very similar to the old device administrator enrolment. I just rolled out for users don’t like personal profiles.

Sorry, I’m against disabling MFA or making exclusion for users or apps.