Conditional access + Intune

Copper Contributor

Hello,

I am attempting to achieve no MFA requests for a device in entra, and devices which are hyrbid joined.

MFA will happen to these accounts logged onto devices which are not registered.

The DC is synced with the entra cloud tool

 

I have made it to exclude a list of devices in regards to display names and trust types. It doesn't seem to allow this policy to exclude AD devices within entra but it works for the intune devices.

 

Thank you,

Jamie.

6 Replies
Hi Jamie,

Why would you like to achieve no MFA requests for your users?

This would be no MFA requests for users on company devices, outside of the organisations building.
This is not what I desire however this is what it requested by the management of my organisation.
Would you be aware of how to achieve this?
Thank you,
Jamie.

Hi Jamie,

Yes, you would have to configure your office as a trusted location.
Take a look here, at the documentation:

https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-assignment-network#ipv4-...

As always with conditional access, please test it before activating in production. In worse case, you could potentially lock yourself out.
Hello,
unfortunately this would not achieve what they want to achieve, this would prompt users to MFA on their staff laptops at home. Even though this is common practice, they want this to happen to devices not provided by the organisation.
Thank you,
Jamie.
Hi Jamie,

I'm actually not quite sure how you should achieve no MFA requests at all.
You could take a look at require compliant devices, even though that wouldn't completely remove the MFA prompts.

Microsoft are enforcing MFA where possible, so it's a hard task and definitely not something I would recommend trying to bypass. :)
Why not consider deploying Windows Hello? In my opinion, this best fits the needs of the organization while still maintaining your MFA policies given Windows Hello is a Passwordless authentication method.