question

SeanStephen-5454 avatar image
0 Votes"
SeanStephen-5454 asked LuDaiMSFT-0289 edited

Azure AD - Device List - Mobile Devices Not Listed/Microsoft Autenticator Device Registration

I've tried my best to find out if this question has already been asked and answered but unable to find any answer so here I am!

For reference, not vastly experienced using AzureAD/InTune etc but learned a lot in a short space of time so your time/explanations will be greatly appreciated.

This is two pronged question as I can party answer it for myself but unable to understand why it would be happening so I potentially need someone to educate me on what/why i'm seeing the behaviour.

I'm working on setting up an MDM Rollout using InTune for a small business but haven't started rolling it out to the devices yet. Due to size and flexibility required we're not going down the auto enrolment process for now anyway. The staff will required to install the MDM Solution on their work or BYOD device, including phones & as part of the process we were going to do a manual review on a regular basis of the AzureAD Device list to identify any devices not enrolled in InTune to then take action to resolve. When looking at the existing list its clear that many of the BYOD mobile phones aren't present on the list, I think I've identified and i'll explain my understanding of that, the issue here is that I dont understand how its been achieved.

When looking into why they are not listed i've seen some explanations that the phones needs to either have the company portal app installed OR the Device Registration should be completed on the Authenticator app - Firstly, is that correct? I've spoken to one of the users who's device isn't appearing in Azure and when he goes into the Settings - Device Registration it stated they were not registered. they then registered and when they did so almost instantly I'm able to see the device in Azure AD.

The main question though and the one causing most of the confusion is caused by the fact we have MFA Enforced (via O365) and has been in place for 2+ months so all employees have signed into the Authenticator app on their personal devices (both android and iOS) to use MFA on their work account.

  • How have they managed to setup a workplace account for MFA via the app without registering the device (i've tried the process of setting up the Authenticator and cant see how they've achieved this)?

  • How does it continue to work if they're not registered with the workplace?

  • Is there any way to correct this? (I cant think of any, currently on AzureAD free)

  • Any other explanations welcome.

Using Azure Free with Intune Licenses.
O365 Enforced MFA.

Any other tips in this area are appreciated. Thanks for taking your time to read and respond!

Thanks




microsoft-authenticatorintune-enrollmentazure-ad-device-management
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

Jason-MSFT avatar image
0 Votes"
Jason-MSFT answered LuDaiMSFT-0289 edited

we were going to do a manual review on a regular basis of the AzureAD Device list to identify any devices not enrolled in InTune to then take action to resolve

This is painful at best. Use conditional access to force the users to enroll (if that's desired) and prevent access if they don't. Done.

Additionally or alternatively, for BYOD devices (iOS and Android), use App Protection Policies and obviate the need for enrollment altogether.

· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@SeanStephen-5454
When looking into why they are not listed I've seen some explanations that the phones needs to either have the company portal app installed OR the Device Registration should be completed on the Authenticator app - Firstly, is that correct?

Yes. When you didn't enroll the devices to intune, the devices are not listed. For BYOD devices, it is needed to install company portal app to enroll them. And as Jason said, if you don't want to enroll devices, using app protection policies is a good choice.

0 Votes 0 ·

@SeanStephen-5454 I am currently standing by for further update from you and would like to know how things are going. If you have any questions or concerns, please don't hesitate to let us know.

0 Votes 0 ·

Hello @LuDaiMSFT-0289

The issue isn't so much that we don't want to enrol, is that the devices majoritly BYOD, especially when it comes to mobile phones therefore if they connect without enrolling we wont be aware of devices being used to connect.

As also Jason said there's the option to use conditional access but that's not available with our current license (potential to extend licenses to that should that be we require especially if we get larger as a business.)

At the moment we've gone with if its our policy for everyone to enrol so we get the benefits of an enrolment security wise with app protection policies in place for mobile apps in that instance and much more restrictive ones should someone connect without enrolment.

0 Votes 0 ·
Show more comments