MFA set up so users dont need to authenticate every time at home or on work device

Bronze Contributor

Hi all,

 

Is it possible to only need to authenticate when using MFA when not using a work device or when a member of staff is at home on their work device? 

 

I have set it to not ask for MFA when member of staff are in office. 

 

 

8 Replies

Hello @AB21805 ,

"authenticate when using MFA when not using a work device" -> you can build a CA policy using Filter for Devices under Conditions. Choose DeviceOwnership or TrustType. Pay attention that devices should be enrolled in Intune or AzureAD.

"when a member of staff is at home on their work device" -> use Named Locations to set locations where you require MFA.

Thanks!

As I am in testing stage and not most staff have registered for MFA, if I set all intune managed / work devices to not require MFA unless on a non managed device. What would be the best way to get them registered?
also if I wanted to require MFA on non intune devices would I exclude or include in the MFA CA policy?

Hello @AB21805,

 

"What would be the best way to get them registered?" - this should be the best way for you. If you have 30-40 users with a list of devices you can talk to each other and enroll all of them manually. If you have a local AD environment and all workstations connected to it, you can use a GPO to enroll workstations to AAD and Intune. 

 

"I wanted to require MFA on non intune devices would I exclude or include in the MFA CA policy" -> there should be a policy that Grant Access, Requires MFA, and applied for devices that have property "isCompliant Not equals True" AND "isCompliant Not equals False". 

Hi,

Thanks for this, for the register part I mean these users who are not MFA registered yet so they have no authentication method set what would be best way to get them registered to MFA so they have a method registered. I was thinking send out: https://aka.ms/mfasetup

Hi @mikhailf 

 

So if I included all locations and excluded office ips:

 

Screenshot 2023-02-06 at 11.49.04.png 

Grant access but MFA 

 

Also set filter for devices like so:

 

Screenshot 2023-02-06 at 11.49.11.png

 

Will this then only ask those for are not on a intuned company device for MFA when signing into all cloud apps? 

 

 

With locations you are right. In this case, users, who are connecting from office IPs will not require to perform MFA.
For devices that are not enrolled in Intune, I would create an additional Conditional Access policy.
Grant + Require MFA for All devices that have property "isCompliant Not equals True" AND "isCompliant Not equals False".