Hello, 

Project: Configure Auto-Pilot Hybrid Join for new users and laptops (with White Glove from Dell)

Process works and pre-provisioning is successful, a VPN (Cisco AnyConnect) that auto-starts at the login screen via a certificate.

At this stage the user is being targeted with Azure MFA via Conditional Access  

Once the user logs in, non of the Microsoft Endpoint Manager policies get picked up, Teams does not Automatically sign in (But prompts the user to sign in) 

If we leave it 30 mins (Waiting for Azure AD Connect to Sync the device. We reboot and we get the same, none of the policies get picked up, bit locker does not encrypt, teams doesn't auto sign in etc. 

If we do a dsregcmd /status on a CMD window, it shows as Domain Joined but not Azure AD joined. 

Then we look inside of "Work and School Account" we see the info button, we click this, and under "Sync" button has an error, with something on the lines of "Cannot authenticate your credentials" etc etc.  - I then click sync and it pops up with the Microsoft Loin Box, I select my account (connected to windows) and sign in - it then throws an MFA prompt to MS Authenticator.  If I approve, it syncs and the device starts to get all the policies it requires.  

=============

So, I decided to do another test, this time excluding the user from Azure MFA (CA Policy) and ran a new deployment.  

- Pre-provisions OK 

- Can login with AD credentials at login 

- Teams automatically signs in 

- dsregcmd /status shows everything is correct, it is Azure AD Joined and Local AD Joined

- wait 30 min for Hybrid AD Join to happen from the DC through AD Connect sync

- Reboot the machine, at next login, everything works, bit locker encrypts, oneDrive auto-signs in. 

- The world is a good place. 

It would therefore lead me to believe that with MFA enabled on the user that is signing into the machine, it blocks the initial Azure AD join process tied to that user and stops policies from pulling down to the machine. 

However, I cannot find any reference material surrounding MFA being the catalyst as to why the Hybrid Azure AD Join over VPN just does not work properly. Or how we can bypass it on AutoPilot deployments 'Hybrid' deployments. 

Note: In Azure AD > Devices > Device Settings - the option for "Devices to be Azure AD joined or Azure AD registered require Multi-Factor Authentication" is set to NO (Thought worth a mention, even though I think it does not apply to Hybrid AD join devices)

Another note, is if the user is enabled for MFA and we then deploy inside the corp network (which is bypassing/excluded from MFA) then this works without a problem too.   

The CA Policy for MFA targets All Cloud Apps.  We even tried to exclude "Intune Enrollment / Intune / Azure Management" - without success. 

So we're super stumped as what to do - Does anyone have any info on MFA being a problem with AutoPilot Hybrid Join over VPN?