This week’s blog post will continue about conditional access. However, this time I’m going to look at a specific scenario in which conditional access is the key to making it easy to solve. This week I’m going to show three options, well actually only two, for requiring multi-factor authentication (MFA) during the enrollment of a device. First I’m going through the different configuration options and after that I’ll show the end-user experience per configuration option.
Configuration options
Now let’s start by having a look at the different configuration options. When I’m looking at the different configuration options, I want to look a little bit further than just the Microsoft Intune enrollment. I also want to include the Azure AD join, as it’s a common additional configuration. That makes that to require MFA during the enrollment of a device, the following options are available:
- Require MFA to join Azure AD;
- Require MFA for Microsoft Intune enrollment;
- Require MFA for Microsoft Intune enrollment for Windows devices only.
Option 1: Multi-factor authentication to join Azure AD
The first option is to require MFA to join a device to Azure AD. When Microsoft Intune is configured in Azure AD to automatically enroll during the Azure AD join, it’s possible to simply require MFA to join Azure AD. That would require the end-user to use MFA to join and enroll the device. However, the down-side of this configuration is that it’s really specific to Windows devices that can perform an Azure AD join. When other platforms are in the picture, this solution will not be enough to require MFA during every enrollment.
To configure the MFA requirement for joining Azure AD, the Azure portal and the Azure classic portal can be used. Both configuration options are described below.
|
Azure portal – In the Azure portal the requirement to use MFA to join devices to Azure AD can be configured by using the following steps.
|
 |
|
Azure classic portal – In the Azure classic portal the requirement to use MFA to join devices to Azure AD can be configured by using the following steps.
|
 |
Note: Not only do both configuration options have the same effect, but both configurations options are stored in the same location. In other words, when this is configured in the Azure portal it will also show in the Azure classic portal and vice versa.
Option 2: Multi-factor authentication for Microsoft Intune enrollment
The second option is to require MFA to enroll a device into Microsoft Intune. This configuration would require the end-user to always use MFA to enroll a device. For every supported platform. The down-side of this configuration is that it’s really specific to Microsoft Intune enrollments. When there are devices that only need to perform an Azure AD join, this solution will not be enough to require MFA during every Azure AD join.
To configure the MFA requirement for enrolling into Microsoft Intune, the Azure portal and the Azure classic portal can be used. Both configuration options are described below.
|
Azure portal – In the Azure portal the requirement to use MFA to enroll devices to Microsoft Intune can be configured by using the following steps.
|
 |
|
Azure classic portal – In the Azure classic portal the requirement to use MFA to enroll devices to Microsoft Intune can be configured by using the following steps.
|
 |
Note: In the Azure portal there are multiple roads to eventually create a conditional access. One is as shown above, by starting with the application, and another is by going straight to Azure Active Directory > Conditional access. This is the overview location of conditional access that shows all the created policies. Adding a new policy at this location, only requires an additional actions to select the correct Cloud app.
Option 3: Multi-factor authentication for Microsoft Intune enrollment for Windows devices only
The third option used to be the option to require MFA to enroll a Windows device into Microsoft Intune. That configuration could be done through the Intune Silverlight portal and through the Configuration Manager console. The configuration is even still available in the Configuration Manager console. However, this option should not be used anymore. The advise is to use one of the other two options. This was also the most limiting MFA requirement, as it was only available for Windows devices.
End-user experience
|
Let’s end this post with a brief look at the end-user experience. It’s hard to point out any differences between the different methods. At least from a look-and-feel perspective. The only difference might be the moment of the MFA prompt. However, that might not even be noticed by a normal end-user. The end-user will simply get a MFA challenge during the authentication and will probably not notice the difference in timing. In other words, choosing the right option really depends on the scenario that must be addressed. It will not further impact the end-user. |
 |
More information
For more information about multi-factor authentication and conditional access, please refer to:
- Multi-factor authentication for Intune device enrollments: https://docs.microsoft.com/en-us/intune/deploy-use/multi-factor-authentication-azure-active-directory
- Setting up Azure AD Join in your organization: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-azureadjoin-setup
- Conditional access in Azure Active Directory: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access
- Conditional access in Azure Active Directory – preview: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-azure-portal
Discover more from All about Microsoft Intune
Subscribe to get the latest posts sent to your email.
Hi Peter, can I assume that option # 2 will not interfere with the use of either a GPO for enrollment, or enrollment through device registration?
regards, Anthony.
Hi Anthony,
I will simply require MFA for every Intune enrollment. That includes GPO enrollment.
Regards, Peter
Does this works for self service AADJ with autopilot?
Yes! See also: https://learn.microsoft.com/en-us/mem/intune/enrollment/multi-factor-authentication
Regards, Peter