I have been working with setup of MFA required for enrollement in Intune abit lately and have discovered a couple of things that is not really explained well in the Intune console/documentation.
Enrollment of devices in Intune will in most cases also trigger a device registration in Azure AD. This registration in Azure AD can easily be connected to a MFA requirement by just configure your Azure AD to require MFA for device registration. But this does not apply to all scenarios, so in this blogpost I am going to go into each plattform and explain what happens during enrollment and how the MFA is triggered. I will also cover different options for enrollment of Windows 10 Mobile.
Setup Azure MFA for Device Registration and AAD Join
First thing you need to do is to enable MFA either in Azure MFA or on your ADFS. In this scenario I will only use Azure MFA and the setup described here will also work if you are using ADFS federation but still want to use Azure MFA.
The scenario described here is based on you having a EMS license and therefore also Azure AD Premium for your users.
The first thing we do is to add an MFA Provider in Azure AD. You go into you Azure AD console and go to Multi-Factor Auth Providers and click on Create a new MFA Provider.
Then you will go to the QuickCreate part and you will name your MFA Provider and choose your Usage Model and link to your directory. I have EMS for all my users and choose Per Enabled User.
Now on the bottom of your page you can click on Manage to change settings for your MFA Provider. There is no need to actually change anything here for MFA to work. But this is the place to see usage and status.
The next thing we need to do to require MFA for device enrollment is to go into the configuration of your Azure AD and locate the Devices section. I presume that you have already enabled Intune in your tenant and that the option “Users may register their devices with Azure AD is already set to All and locked. I have also setup that users may use Azure AD Domain join in my tenant.
No to the important setting that you need to apply. Require MFA to join devices.
Now you are setup for require MFA for both Device Registration via Intune and also for Azure AD Domain join. There is no need for enabling MFA for specific users and you really should not enable it for specific users in this scenario if you dont want users to be required MFA for all access to Azure AD resources (Office365 and so on)
Regarding Windows 10 Mobile you should read on. There is some important steps you need to consider when it comes to that platform specificly.
There is now know way today to provision the authentication details setup for your users from AAD Connect sync or to set this up in the cloud for synchronized users. You can as administrator manually set this details in Azure AD for cloud users. So normally the users will on first attempt be required to setup that kind of information. You can also decide on verification options by clicking on the “Manage Service Setting” under Multi-Factor Authentication in Azure AD Configuration.
Enrolling iOS or Android Device with MFA
When you enroll a iOS (iPhone/iPad) or Android device in Intune it will also in the backend register the device in Azure AD. This all happens when you log into the company portal app and choose to register your device. It is important to understand that it actually is this backend registration in Azure AD that triggers the MFA challenge when enrolling the device. Intune itself doesnt really have MFA as part of it setup for other plattforms than Windows Phone 8x/Windows 10 Mobile.
The device registration in Azure AD is a required steps for these plattforms so the user will not be able to enroll into Intune without actually be MFA challenged. The only time this might clitch is if a user unenrolls a device and then enrolls it again while the device still is registered in Azure AD. I have seen this a few times, but I think this is a testing scenario and that users really dont unenroll and enroll that quick in realtime scenarios.
Enrolling Windows 10 Mobile Devices with MFA
To enable Windows 10 Mobile enrollment by adding a work account you also need to enable AUTO registration with Intune in Azure AD.
Go into your Azure AD and choose Applications and then choose Microsoft Intune
The configuration should be like this to enable this scenario for all users, but you can also just choose a group of users to enable this for.
Option 1 Enroll into Intune by adding a Work Account on your phone:
- Go into Settings – Accounts – Work Access on your phone.
- You will see “Sign in to Azure AD” – Add or remove a work or school account
- On the bottom of this next page you will see Add a work or school account
- Now you login with your account and the MFA Challenge kicks in.
- Depending on your setup you might me asked to provide a Work-pin. This is only if you have Passport for Work enabled in your Intune tenant.
- Registration is complete.
By having this setup what you actually do is that you do a Workplace join of your phone to Azure AD, this triggers the MFA. This setup of Microsoft Intune application in Azure AD triggers a policy to the device forcing it to enroll the device in Intune aswell. All good so far.
But. There is another option on Windows 10 Mobile aswell. And if you dont to additional steps in your Intune Tenant this will not trigger MFA for the enrollment.
Option 2 Enroll into Intune by the Enroll into device management option
- Go into Settings – Accounts – Work Access on your phone.
- Go to the bottom of the page and you will see Enroll into device mangement
- Now provide your email adress (or UPN) and click on Connect
- Next page you provide your password and sign in.
- Now you actually are enrolling into Intune, but you will notice that there was no MFA challenge and you dont have the Work Account on your device either
So why is it like this? And what to we do?
In Windows 10 the experience of adding a work account is not only accessible through Settings but also happens automatically as part of setting up an application for work for the first time like if you setup your email account in outlook with your work email. That means that if you setup work email or connect to Onedrive for business you will be able to force the device into managment by having the setup of the Auto-MDM enrollment setup.
If you use option 2, you will only enroll in Intune. There is no Azure AD device registration involved like it is on the other plattform. That is why Azure AD isn’t able to challenge the user with MFA. But there is a solution to this aswell.
Log in to your Intune tenant and go to Admin – Mobile Device Management and Multi-Factor Authentication and click on Configure Multi-Factor Authentication:
As you can see now, there is a lot of text on this page talking about step 1 with ADFS setup and so on, but that is really not important in this scenario when we are using Azure MFA in the cloud. Configuring MFA requirement for enrollment in Intune, just tells AAD that MFA is needed to complete the authentication request. Azure AD handles this in different ways:
- For cloud or managed domain user, if Azure MFA is configured AAD will do MFA (no ADFS involved). If Azure MFA is not configured, the registration will fail
- For a federated user (ADFS), if ‘supportsMFA’ is turned OFF for the federated domain setting, AAD will redirect the user to the IDP (say ADFS). On the response, if the user is configured for Azure MFA, Azure MFA will then do the 2nd factor auth. If Azure MFA is not configured it will fail.
- For a federated user, if ‘supportsMFA’ is turned on in the federated domain settings, AAD will then redirect the user to the IDP and in the request ask it to do MFA. ADFS will then proceed to do MFA (fail with error if there is failure) and then send a token to AAD with an MFA claim. AAD examines this claim and then makes the decision to allow the enrollment request to flow through or error.
Now finaly you have MFA for all your available Intune Enrollment and also Azure AD Domain Joins set up and required.