![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 40%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESK%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Entra | Microsoft Entra ID
A cloud-based identity and access management service for securing user authentication and resource access
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 24%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMA%3C/text%3E%3C/svg%3E)
1) At first time , Your device is enrolled when you scan the QR code and insert the code from MFA. - If you doesn't authenticate at this point , then yes your device wont sync.
After First online when your device enrollment is complete, then its just a matter of login to your portals. Policies syncing doesn't require additional MFA.
2) Its dependent on policy , For example If there is a conditional access policy like If user is in USA and trying to access cloud apps then enforced MFA . You will be forced to MFA even when MFA was not required. Another example if user belong to certain groups are forced to MFA.
Refer below articles for more details
1) Enrollment : https://learn.microsoft.com/en-us/mem/intune/enrollment/multi-factor-authentication
2) Policy Base MFA : https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa
-------please don't forget to upvote and Accept as answer if the reply is helpful-------