This week’s blog post will continue about conditional access. However, this time I’m going to look at a specific scenario in which conditional access is the key to making it easy to solve. This week I’m going to show three options, well actually only two, for requiring multi-factor authentication (MFA) during the enrollment of a device. First I’m going through the different configuration options and after that I’ll show the end-user experience per configuration option.
Now let’s start by having a look at the different configuration options. When I’m looking at the different configuration options, I want to look a little bit further than just the Microsoft Intune enrollment. I also want to include the Azure AD join, as it’s a common additional configuration. That makes that to require MFA during the enrollment of a device, the following options are available:
- Require MFA to join Azure AD;
- Require MFA for Microsoft Intune enrollment;
- Require MFA for Microsoft Intune enrollment for Windows devices only.
Option 1: Multi-factor authentication to join Azure AD
The first option is to require MFA to join a device to Azure AD. When Microsoft Intune is configured in Azure AD to automatically enroll during the Azure AD join, it’s possible to simply require MFA to join Azure AD. That would require the end-user to use MFA to join and enroll the device. However, the down-side of this configuration is that it’s really specific to Windows devices that can perform an Azure AD join. When other platforms are in the picture, this solution will not be enough to require MFA during every enrollment.
To configure the MFA requirement for joining Azure AD, the Azure portal and the Azure classic portal can be used. Both configuration options are described below.
Note: Not only do both configuration options have the same effect, but both configurations options are stored in the same location. In other words, when this is configured in the Azure portal it will also show in the Azure classic portal and vice versa.
Option 2: Multi-factor authentication for Microsoft Intune enrollment
The second option is to require MFA to enroll a device into Microsoft Intune. This configuration would require the end-user to always use MFA to enroll a device. For every supported platform. The down-side of this configuration is that it’s really specific to Microsoft Intune enrollments. When there are devices that only need to perform an Azure AD join, this solution will not be enough to require MFA during every Azure AD join.
To configure the MFA requirement for enrolling into Microsoft Intune, the Azure portal and the Azure classic portal can be used. Both configuration options are described below.
Note: In the Azure portal there are multiple roads to eventually create a conditional access. One is as shown above, by starting with the application, and another is by going straight to Azure Active Directory > Conditional access. This is the overview location of conditional access that shows all the created policies. Adding a new policy at this location, only requires an additional actions to select the correct Cloud app.
Option 3: Multi-factor authentication for Microsoft Intune enrollment for Windows devices only
The third option used to be the option to require MFA to enroll a Windows device into Microsoft Intune. That configuration could be done through the Intune Silverlight portal and through the Configuration Manager console. The configuration is even still available in the Configuration Manager console. However, this option should not be used anymore. The advise is to use one of the other two options. This was also the most limiting MFA requirement, as it was only available for Windows devices.
For more information about multi-factor authentication and conditional access, please refer to:
- Multi-factor authentication for Intune device enrollments: https://docs.microsoft.com/en-us/intune/deploy-use/multi-factor-authentication-azure-active-directory
- Setting up Azure AD Join in your organization: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-azureadjoin-setup
- Conditional access in Azure Active Directory: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access
- Conditional access in Azure Active Directory – preview: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-azure-portal