MFA enabled - Android fully managed shared device

%3CLINGO-SUB%20id%3D%22lingo-sub-872091%22%20slang%3D%22en-US%22%3EMFA%20enabled%20-%20Android%20fully%20managed%20shared%20device%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-872091%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20been%20enrolling%20a%20large%20number%20of%20android%20devices%20in%20Intune.%20I%20currently%20have%20MFA%20setup%20on%20my%20account%20and%20during%20the%20enrolment%20process%20of%20the%20fully%20managed%20devices%2C%26nbsp%3Bit%20prompts%20MFA%20to%20approve%20my%20sign%20in%20for%20enrolling%20the%20device.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20question%20is%2C%20in%2030%20days%20when%20MFA%20wants%20me%20to%20sign%20in%20again%20will%20the%20prompt%20occur%20on%20the%20enrolled%20device%3F%20I%20am%20enrolling%20these%20devices%20on%20behalf%20of%20users%20as%20my%20account%20is%20a%20device%20enrollment%20manager%20account.%20This%20account%20has%20MFA%20enabled%2C%20but%20surely%20once%20a%20device%20has%20been%20enrolled%20it%20will%20not%20prompt%20for%20MFA%20again%3F%20Does%20anybody%20know%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-872091%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Application%20Management%20(MAM)%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Device%20Management%20(MDM)%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-875466%22%20slang%3D%22en-US%22%3ERe%3A%20MFA%20enabled%20-%20Android%20fully%20managed%20shared%20device%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-875466%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F400457%22%20target%3D%22_blank%22%3E%40LewisTaylor%3C%2FA%3E%26nbsp%3B%20It%20will%20depend%20on%20how%20you%20are%20enforcing%20MFA.%20Are%20you%20using%20Conditional%20Access%3F%20If%20so%2C%20set%20the%20policy%20to%20require%20MFA%2C%20require%20device%20to%20be%20marked%20as%20compliant%2C%20and%20then%20only%20require%20one%20of%20the%20selected%20controls.%20This%20will%20continue%20to%20prompt%20unmanaged%20devices%20for%20MFA%20initially%20until%20they%20enroll%20and%20become%20compliant.%20After%20that%2C%20they%20will%20no%20longer%20be%20prompted%20for%20MFA.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-912135%22%20slang%3D%22en-US%22%3ERe%3A%20MFA%20enabled%20-%20Android%20fully%20managed%20shared%20device%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-912135%22%20slang%3D%22en-US%22%3EAnd%20if%20you%20are%20not%20using%20%22Conditional%20Access%22%20(which%20you%20should)%20it%20would%20trigger%20MFA%20whenever%20a%20user%20hits%20an%20Office%20365%20service.%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

I have been enrolling a large number of android devices in Intune. I currently have MFA setup on my account and during the enrolment process of the fully managed devices, it prompts MFA to approve my sign in for enrolling the device.

 

My question is, in 30 days when MFA wants me to sign in again will the prompt occur on the enrolled device? I am enrolling these devices on behalf of users as my account is a device enrollment manager account. This account has MFA enabled, but surely once a device has been enrolled it will not prompt for MFA again? Does anybody know?

2 Replies
Highlighted

@LewisTaylor  It will depend on how you are enforcing MFA. Are you using Conditional Access? If so, set the policy to require MFA, require device to be marked as compliant, and then only require one of the selected controls. This will continue to prompt unmanaged devices for MFA initially until they enroll and become compliant. After that, they will no longer be prompted for MFA.

Highlighted
And if you are not using "Conditional Access" (which you should) it would trigger MFA whenever a user hits an Office 365 service.