How to configure multi-factor authentication in Microsoft Intune – Part 1: The easiest method

By now I think it’s save to assume that everybody knows about the new capabilities of Microsoft Intune that where added last week. Also, next to those adjustments there were the “long” hoped for improvements to the Windows Phone 8.1 enrollment process. These new capabilities and improvements triggered me to do a new small blog series and this time about multi-factor authentication. In this blog series I will describe a few different multi-factor authentication configurations for, initially, Microsoft Intune standalone. This first part will be the easiest configuration, without anything fancy like single sign-on.


Before I’ll start with this configuration for multi-factor authentication it’s important to mention a couple of lines about the scenario. This specific multi-factor authentication configuration is only possible when the following situations are applicable:

  • The Mobile Device Management Authority is set to Microsoft Intune;
  • The devices to enroll are all Windows 8.1 (and newer) or Windows Phone 8.1;
  • Multi-factor authentication is only required during the device enrollment;
  • Single sign-on is not used.


Now let’s start with the configuration. The configuration is really, as mentioned in the title, easy. After the following four steps multi-factor authentication will be enabled for device enrollment of Windows 8.1 (and newer) and Windows Phone 8.1:

  1. MicrosoftIntune_MFA_Config_01Logon on to the Microsoft Intune administration console;
  2. Navigate to Administration > Mobile Device Management > Multi-factor Authentication;
  3. MicrosoftIntune_MFA_ConfigSelect Configure Multi-factor Authentication;
  4. In the Configure Multi-factor Authentication dialog box select Enable Multi-factor Authentication and click OK.


The result of this configuration is actually exactly as expected, multi-factor authentication is only required with the enrollment of Windows 8.1 (and newer) and Windows Phone 8.1. To the end-user the behavior will be as shown in the screenshots below. During the first enrollment the end-user has to configure multi-factor authentication (either via phone or via an app) and during the next enrollments the configured multi-factor authentication method will be used automatically.

First enrollment Next enrollments
MicrosoftIntune_MFA_01 MicrosoftIntune_MFA_07

Further reading

Around the time that I came-up with this blog series Peter Daalmans also posted a blog post about multi-factor authentication with Microsoft Intune. Luckily (for me) he describes a different scenario then the ones I’ll cover in this series, but it’s a good and related read.

2 thoughts on “How to configure multi-factor authentication in Microsoft Intune – Part 1: The easiest method”

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.