Hi Intune gang,
I'm having an issue with MFA prompts on Azure AD joined devices.
Allow me to give a quick explanation of the situation:
Our goal is to let multiple Azure users login to this single Azure AD joined device, which seems easy enough. We've implemented some Intune policies to enforce OneDrive & Printix silent sign-in. This works perfectly fine with accounts that don't have MFA enabled in the M365 admin panel. When signing in with a user that has MFA enforced on this device, they get a message that says something alon the lines of "Login again to resolve issues with your work or school account" and then they have to complete an MFA challenge, so the silent login policies don't work.
Is this expected behaviour or can this MFA request be turned off using Conditional Access policies? I've already made a policy with the help of MS support, but they haven't been able to solve this issue yet.
I've added screenshots of this CA policy in the attachments. Some other things to note and that I've tried already:
- We use a DEM account to enroll devices
- All regular users have MFA enforced in the M365 Admin panel (under 'Users > MFA').
- Turning MFA off for a test users solves the problem, but this means I have to make some CA policies to require MFA on non-compliant devices, right? Is this approach less safe than enabling MFA for every user?
- Microsoft Support was testing some CA policies, which didn't seem to work at all
Any help would be greatly appreciated!
