1,510 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(153.6, 70%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
The settin is off, still getting prompt of MFA authentication
How can I disable MFA on initial logins for our Windows provisioned devices?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Anonymous
Hi I wandering if you can assist. My company currently uses Intune for our Windows devices and our current process is set that on enrollment when a user tries to log in they will need to use MFA. My question is I would like to bypass this for the initial log in. I don't want it fully disabled just on initial log in. We would like it so the end user does not need a second device when signing in for the first time. However we do want them at a later date to use MFA for obvious security reasons. Do you know if this is possible please and how?
Microsoft Security | Intune | Enrollment
{count} votes
-
Lu Dai-MSFT 28,501 Reputation points2023-01-17T02:26:30.89+00:00 @Ian Wadeson Thanks for posting in our Q&A. From your description, did you mean that you don't want to enable MFA during device enrollment? If there is anything misunderstanding, please correct me.
It is suggested to try to exclude the Microsoft Intune Enrollment and Microsoft Intune cloud apps from the conditional access policy which is set "Require multifactor authentication". Also, it is needed to set "Devices to be Azure AD joined or Azure AD registered require Multi-Factor Authentication" to "No" in Azure AD portal. These settings will bypass the MFA.
If there is anything update, feel free to let us know.
Sign in to comment
3 answers
Sort by: Most helpful
-
-
Saumil Joshi 1 Reputation point2023-01-16T19:32:13.0633333+00:00 Hi
Disabling MFA is not recommended by MS, try to enroll phone first with Authenticator app so when user try to get authenticated its allow them to enroll device.
-
Rahul Jindal [MVP] 10,911 Reputation points MVP2023-01-16T22:40:53.7733333+00:00 You can consider using TAP to allow passwordless enrollment during Autopilot provisioning. Once done, users can authenticate normally using whatever MFA method you have configured in the tenant.