cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Turning off MFA during autopilot enrollment

mmiadmin
Copper Contributor

‎Jan 12 2023 08:13 AM

‎Jan 12 2023 08:13 AM

Turning off MFA during autopilot enrollment

How will I turn off MFA during autopilot device (windows 10) enrollment?

 

I saw some articles using conditional access policies. But, if it is enabled where will it be enabled and how can I turn it off? I do not want to create a new conditional access policy. Should this not exist already if it is working during autopilot enrollment? If so, how can I turn it off?

 

 

Labels:
9,141 Views
0 Likes
4 Replies
Reply
4 Replies
rahuljindal-MVP

‎Jan 12 2023 01:22 PM

‎Jan 12 2023 01:22 PM

Re: Turning off MFA during autopilot enrollment

If you set the “Require Multi-Factor Authentication to register or join devices with Azure AD” option to “Yes”, Azure AD prompts users to complete MFA. Thereafter, the user will be challenged with the MFA again if you have a CA policy enabled to do. Both of these settings can be controlled, however it is security best practice not to disable these.
0 Likes
Reply
Rudy_Ooms_MVP

‎Jan 12 2023 11:38 PM

‎Jan 12 2023 11:38 PM

Re: Turning off MFA during autopilot enrollment

Hi, by the looks of it, you want to turn off the global setting to require MFA for devices that are getting enrolled. YOu can do so within devices/enroll devices/Windows hello for business
When this setting is not configured or enabled, the user will get prompted to setup mfa during enrollment.
You could turn this off by setting it to disabled.
Of course its not best practise to disable this setting but sometimes people disable this setting to scope it to a specific amount of users by configuring a policy
0 Likes
Reply
ffa117

‎Mar 16 2023 09:04 PM

‎Mar 16 2023 09:04 PM

Re: Turning off MFA during autopilot enrollment

@Rudy_Ooms_MVP Apologies for opening up an old thread, but I am trying the method you suggested for disabling users being prompted for MFA during autopilot. Regardless of whether or not I set the value of "Configure Windows Hello" to Disabled or Enabled, I am prompted to enter in values for pin length, complexity, etc. Are those values just being displayed but not applied if the "Configure Windows Hello" setting is set to disabled?

Screenshot 2023-03-16 205850.png

My end goal is to have users not be prompted for MFA during autopilot as well as to not be prompted for a pin during account setup. (No Biometric or Pin)

0 Likes
Reply
rahuljindal-MVP

‎Mar 16 2023 11:40 PM

‎Mar 16 2023 11:40 PM

Re: Turning off MFA during autopilot enrollment

Exclude Intune enrollment apps from MFA CA policy. Disable requirement for MFA for users under azure devices settings for Azure AD join. Disable WHfB in Intune at the tenant level and also through a device identity profile. Having said all of the above, it is not recommended to exclude the devices from MFA during Intune enrollment.
0 Likes
Reply