User is unexpectedly being prompted for MFA enrollment during device registration.

Question

I am unable to locate the source of MFA enrollment prompt when user is registering the device in Azure. I have verified that MFA is not enabled/enforced for the user and there is no Conditional Access policy applied which requires MFA to be performed by the user experiencing the issue. What could be the reason for MFA prompt only during the device registration to Azure?

Thanks!

Answer 1

Hi @Sumarigo-MSFT • Thank you for reaching out.

If the MFA Enrollment prompt appears only during device registration/join process, and user doesn't get MFA prompt when accessing any cloud application, you need to check below setting:

Azure active directory > Devices > Device Settings > "Require Multi-Factor Authentication to register or join devices with Azure AD"

If the above setting is set to YES, Multi-Factor Authentication is required when adding devices to Azure AD. Users who are adding devices from the internet must add a second method of authentication.

Important:

• This setting does not apply to hybrid Azure AD joined devices, Azure AD joined VMs in Azure and Azure AD joined devices using Windows Autopilot self-deployment mode.
• Microsoft recommends setting this device setting to No and require Multi-Factor Authentication using Conditional Access to register or join devices with Azure AD.

-----------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.