Enrolling an IOS Device with MFA Enabled

Question

Hello all

Having issues with enrolling a new IOS device (new Iphone) cause user is enabled for MFA and unable to enroll device cause the device itself is unable to receive a code after entering user name and password for MFA.

have tried setting temporary access pass (TAP), use the browser to login as user and configure the new number, but still the device is not enrolled and unable to move forward. the device needs to be enrolled before it is able to receive SMS code.

I know some suggest the following

1. exclude user from MFA initially and enroll the device
2. exclude Microsoft in-tune enrollment from conditional access policy

The above two suggestion are good, but reduce your security level in the environment. Does any one resolve this issue with out compromising the security of the environment.

Answer 1

Hi,

Thank you for posting in Microsoft Q&A forum.

Is it a BYOD iOS device? If it is enrolled via Apple automated device enrollment, a second device is required to complete the MFA for iOS devices. Because the primary device can't receive calls or text messages during the provisioning process.

Per the official article: Require multifactor authentication for Intune device enrollments

Thanks for your time. Have a nice day!

Best regards,

Simon

---

If the response is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.