I've tried my best to find out if this question has already been asked and answered but unable to find any answer so here I am!
For reference, not vastly experienced using AzureAD/InTune etc but learned a lot in a short space of time so your time/explanations will be greatly appreciated.
This is two pronged question as I can party answer it for myself but unable to understand why it would be happening so I potentially need someone to educate me on what/why i'm seeing the behaviour.
I'm working on setting up an MDM Rollout using InTune for a small business but haven't started rolling it out to the devices yet. Due to size and flexibility required we're not going down the auto enrolment process for now anyway. The staff will required to install the MDM Solution on their work or BYOD device, including phones & as part of the process we were going to do a manual review on a regular basis of the AzureAD Device list to identify any devices not enrolled in InTune to then take action to resolve. When looking at the existing list its clear that many of the BYOD mobile phones aren't present on the list, I think I've identified and i'll explain my understanding of that, the issue here is that I dont understand how its been achieved.
When looking into why they are not listed i've seen some explanations that the phones needs to either have the company portal app installed OR the Device Registration should be completed on the Authenticator app - Firstly, is that correct? I've spoken to one of the users who's device isn't appearing in Azure and when he goes into the Settings - Device Registration it stated they were not registered. they then registered and when they did so almost instantly I'm able to see the device in Azure AD.
The main question though and the one causing most of the confusion is caused by the fact we have MFA Enforced (via O365) and has been in place for 2+ months so all employees have signed into the Authenticator app on their personal devices (both android and iOS) to use MFA on their work account.
How have they managed to setup a workplace account for MFA via the app without registering the device (i've tried the process of setting up the Authenticator and cant see how they've achieved this)?
How does it continue to work if they're not registered with the workplace?
Is there any way to correct this? (I cant think of any, currently on AzureAD free)
Any other explanations welcome.
Using Azure Free with Intune Licenses.
O365 Enforced MFA.
Any other tips in this area are appreciated. Thanks for taking your time to read and respond!