Intune Android Enterprise MFA

DaNmAN 201 Reputation points


When we initially migrated from Android Device Administrator to Android Enterprise we came across an issue with user enrolment in fully managed mode.

If the device the user had just factory reset was the same device they previously used for MFA then they could not complete MFA on said device (too early in device boot process to receive a text or an app prompt)

Microsoft gave us two options at that point

  1. Exclude the user from MFA during enrolment.
  2. Ask the user to MFA using an alternative device

We chose option 1 and excluded users from our current CA policy during enrolment.

This CA policy provides to controls

MFA required
Require device to be marked as compliant.

We were not too concerned about the device compliance as if a device was non compliant removing the user from the CA exclusion would ensure the device would have to be made compliant or users would lose access to company resources.

This was never an ideal situation but its what we had at the time.

Microsoft have attempted to address this situation by adding suggesting that we exclude the following cloud app from the CA policy 'intune enrolment'

I tested this and I still faced an MFA prompt during enrolment. I confirmed using whatif that no other CA policy was in affect for my user account. I did some technet deep diving and found that other users has experienced the same issue recently. They have been advised that they now need to exclude both 'Intune' AND 'Intune Enrolment' so that users can enrol without any MFA prompt.

I tested this and it works.

With our current CA policy granting both device marked as compliant and MFA then excluding 'Intune' from this does this mean this CA policy will no longer mark our devices as uncompliant and block access to resourced because we are excluding the cloud service 'intune'?

Microsoft Intune Enrollment
Microsoft Intune Enrollment
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Enrollment: The process of requesting, receiving, and installing a certificate.
1,290 questions
0 comments No comments
{count} votes

Accepted answer
  1. Lu Dai-MSFT 28,366 Reputation points

    @DaNmAN Thanks for posting in our Q&A.

    Based on my understanding, intune evaluates whether the device is compliance, rather than CA. For this issue, I have done some research. I find that a device can't be evaluated for compliance until it's enrolled.

    On the other hand, if we select "Require device to be marked as compliant" for All users and All cloud apps, it will trigger device enrollment. We can read the following article as a reference.

    In conclusion, access to resources depends on whether the device is compliant in intune.

    Hope the above information will help.

    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

2 additional answers

Sort by: Most helpful
  1. Pa_D 1,071 Reputation points

    As long as you have O365 & SharePoint apps selected in CA, it is going to check the device compliance. So to answer your question, Azure CA policy will block if the device is non-compliant, even though you have excluded Intune from CA policy.

    0 comments No comments

  2. DaNmAN 201 Reputation points

    So if we exclude both Intune and Intune Enrolment from our CA policy which grants both MFA and device marked as compliant then if the device is non compliant our CA policy will still block access to company resources.

    That is what I wanted to hear thank you both :)