This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(224.00000000000003, 12%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EWN%3C/text%3E%3C/svg%3E)
We use intune and users start install microsoft authenticator app on their private devices. Higher management asked to disable it. How can i disable use the app and enable only on enrolled ones?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(310.4, 15%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EH%3C/text%3E%3C/svg%3E)
If you have a private phone that is not managed at all, it might be that it has no pin-code, which means that anyone that gets hold of that phone and the user’s credentials could authenticate. And that is a security issue. We don’t allow BYOD, but we can’t stop the users from using their own mobile when it comes to the Authenticator app.
What you've described is the whole point of MFA. User's credentials and user's phone. Would having an additional PIN code add security? Perhaps, but not having a PIN code here is not what's insecure as the attack vector you've described already requires the compromise of two completely separate things. This should not be considered a security issue as having access to the authenticator app by itself provides no access to anything. Only when combined with the second compromise is this an issue which now becomes a slippery slope or how much is really necessary.
Ultimately, while understand the argument here, I'm not really sure anything can be done to prevent this anyway as that's just not how this technically works.
This isn't really specific to Intune in any way. Curious as to why, what scenario is undesirable here or what are you/they trying to prevent by doing this?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(262.40000000000003, 66%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFO%3C/text%3E%3C/svg%3E)
The Azure SSPR enables someone who has access to the mobile phone of a user to reset the password of that user. This is the 'new' reason why we would like to control on which device a Microsoft Authenticator app can be installed to enforce the PIN code on the mobile phone.
They think that is:
all the time trying to explain that there is an option (conditional access) that disables BYOD completely, but there is an expectation to do it in steps and start with MS Auth. So I started to recognize the technical possibilities of such an approach.Ultimately (it is not yet known when) only devices from Intune will be used for work.
security issue
Why? What's the issue exactly? What's the attack vector, exploit, or weakness here making it a security issue? What's the scenario where this will compromise the organization or its data?
Thanks (Jason, Henrik) everyone for the replies. I spoke to the engineer at Premier Support about this. there is no simple solution. The engineer had no such case. Technically it is not possible and this is the way I will introduce my friends from work.