Require multifactor authentication for Intune device enrollments
Article
Applies to:
Android
iOS/iPadOS
macOS
Windows 10
Windows 11
You can use Intune together with Microsoft Entra Conditional Access policies to require multifactor authentication (MFA) during device enrollment. If you require MFA, employees and students wanting to enroll devices must first authenticate with a second device and two forms of credentials. MFA requires them to authenticate using two or more of these verification methods:
Something they know, such as a password or PIN.
Something they have that can't be duplicated, such as a trusted device or phone.
Something they are, such as a fingerprint.
If a device isn't compliant, the device user is prompted to make the device compliant before enrolling in Microsoft Intune.
Prerequisites
To implement this policy, you must assign Microsoft Entra ID P1 or later to users.
Configure Intune to require multifactor authentication at device enrollment
Complete these steps to enable multifactor authentication during Microsoft Intune enrollment.
Important
Don't configure Device based access rules for Microsoft Intune enrollment.
Expand Manage devices, and then select Conditional Access. This Conditional Access area is the same as the Conditional Access area available in the Microsoft Entra admin center. For more information about the available settings, see Building a Conditional Access policy.
Choose Create new policy.
Name your policy.
Select the Users category.
Under the Include tab, choose Select users or groups.
Additional options appear. Select Users and groups. A list of users and groups opens.
Browse and select the Microsoft Entra users or groups you want to include in the policy. Then choose Select.
To exclude users or groups from the policy, select the Exclude tab and add those users or groups like you did in the previous step.
Select the next category, Target resources. In this step, you select the resources that the policy applies to. In this case, we want the policy to apply to events where users or groups try to access the Microsoft Intune Enrollment app.
Under Select what this policy applies to, choose Resources (formerly cloud apps).
Under Select, choose None. A list of resources open.
Search for Microsoft Intune Enrollment. Then choose Select to add the app.
For Apple automated device enrollments using Setup Assistant with modern authentication, you have two options to choose from. The following table describes the difference between the Microsoft Intune option and Microsoft Intune Enrollment option.
Cloud app
MFA prompt location
Automated Device Enrollment notes
Microsoft Intune
Setup Assistant, Company Portal app
With this option, MFA is required during enrollment and each time the user signs into the Company Portal app or website. The MFA prompts appear on the Company Portal sign-in page.
Microsoft Intune Enrollment
Setup Assistant
With this option, MFA is required during device enrollment and appears as a one-time MFA prompt on the Company Portal sign-in page.
Note
The Microsoft Intune Enrollment cloud app isn't created automatically for new tenants. To add the app for new tenants, a Microsoft Entra administrator must create a service principal object, with app ID d4ebce55-015a-49b5-a083-c84d1797ae8c, in PowerShell or Microsoft Graph.
Select the Grant category. In this step, you grant or block access to the Microsoft Intune Enrollment app.
Choose Grant access.
Select Require multifactor authentication.
Select Require device to be marked as compliant.
Under For multiple controls, select Require all the selected controls.
Choose Select.
Select the Session category. In this step, you can make use of session controls to enable limited experiences within the Microsoft Intune Enrollment app.
Multifactor authentication helps secure your environment and resources by requiring that your users confirm their identity by using multiple authentication methods, like a phone call, text message, mobile app notification, or one-time password. You can use multifactor authentication both on-premises and in the cloud to add security for accessing Microsoft online services, remote access applications, and more. This learning path provides an overview of how to use multifactor authentication as part of a cyber
Plan and execute an endpoint deployment strategy, using essential elements of modern management, co-management approaches, and Microsoft Intune integration.