Require MFA for Intune device enrollments

Steel Contributor

Hi,

 

belonging to the following MS docs i'm wondering why some of my users need to provide MFA while enrolling their device, even if i have not set up the conditional access as descibed in the MS Docs, yet.

https://docs.microsoft.com/en-us/intune/multi-factor-authentication

 

Thank you in advance.

Regards

Patrick

8 Replies

Hi @PatrickF11,

 

some of them could mean only Windows 10? Then it might be the case that you are enforcing MFA on AADJ like this:

 

SNAG-0000.png

 

best,

Oliver

Hi @Oliver Kieselbach 

 

sorry, i meant iOS & Android Enrollment.

(By the way: The mentioned setting is active in my tenant config.)

@PatrickF11 

 

:) ah okay. Android and iOS should not be affected from this setting. Did you have several CA policies active in your tenant? Did you try to use the CA "What if" feature to check if you might be affected under certain conditions which then might include the "Microsoft Intune Enrollment" app as mentioned in the article?

@Oliver Kieselbach 

At this moment there are only 2 CAs active:

One is for administrators and one is for ActiveSync (Blocking of the native ios&android app, to gently "push" the use of the Outlook App. ;)

 

So at this moment i don't have any idea. :\

Hi @hskovgaard,

 

i know that some users use MFA, but they don't appear in this list from your link.

What should account.activedirectory.windowsazure.com effect? When i look into this no user has MFA enabled, even if i know some registered for MFA.

It's the "old" way of enabling MFA. If you enable here, then the user is always required to use MFA no matter what a CA rule says.

Another thing to check is to see if there is anything setup in Azure AD Identity Protection regarding MFA?

@hskovgaard Thank for your explanation.

In Identity Protection i've set up the Sign-in risk policy to require MFA when risk level is high. (We want to "tighten" that to medium risk level.)

At this point we do not enforce our users to register for MFA. (Azure AD Identity Protection -> Configure -> MFA registration)