Require multifactor authentication for Intune device enrollments
- Windows 8.1
- Windows 10
- Windows 11
You can use Intune together with Azure Active Directory (Azure AD) conditional access policies to require multifactor authentication (MFA) during device enrollment. If you require MFA, employees and students wanting to enroll devices must first authenticate with a second device and two forms of credentials. MFA requires them to authenticate using two or more of these verification methods:
- Something you know, such as a password or PIN.
- Something you have that can't be duplicated, such as a trusted device or phone.
- Something you are, such as a fingerprint.
To implement this policy, you must assign Azure Active Directory Premium P1 or later to users.
Configure Intune to require multifactor authentication at device enrollment
Complete these steps to enable multi-factor authentication during Microsoft Intune enrollment.
Don't configure Device based access rules for Microsoft Intune enrollment.
Sign in to the Microsoft Intune admin center.
Go to Devices > Conditional access. This area is the same as the conditional access area available in Azure AD. For more information about the available settings, see Cloud apps or actions.
Select New policy.
Name your policy.
Select the Users or workload identities category.
- Under the Include tab, choose Select users or groups.
- Additional options appear. Select Users and groups.
- Add the users or groups you're assigning the policy to, and then choose Select.
- To exclude users or groups from the policy, select the Exclude tab and add those users or groups.
Select the next category, Cloud apps or actions.
- Select the Include tab.
- Choose Select apps > Select.
- Choose Microsoft Intune Enrollment > Select to add the app. Use the search bar in the app picker to find the app.
For Apple automated device enrollments using Setup Assistant with modern authentication, you have two options to choose from. The following table describes the difference between the Microsoft Intune option and Microsoft Intune Enrollment option.
Cloud app MFA prompt location Automated Device Enrollment notes Microsoft Intune Setup Assistant,
Company Portal app
With this option, MFA is required during enrollment and each time the user signs into the Company Portal app or website. The MFA prompts appear on the Company Portal sign-in page. Microsoft Intune Enrollment Setup Assistant With this option, MFA is required during device enrollment and appears as a one-time MFA prompt on the Company Portal sign-in page.
Under Conditions you don't need to configure any settings for MFA.
Select the Grant category.
- Select Require multifactor authentication and Require device to be marked as compliant.
- Under For multiple controls, select Require all the selected controls.
- Choose Select.
Select the Session category.
- Select Sign-in frequency and choose Every time.
- Choose Select.
For Enable policy, select On.
Select Create to save and create your policy.
After you apply and deploy this policy, users will see a one-time MFA prompt when they enroll their device.
A second device is required to complete the MFA challenge for these types of corporate-owned devices:
- Android Enterprise fully managed devices
- Android Enterprise corporate-owned devices with a work profile
- iOS/iPadOS devices enrolled via Apple automated device enrollment
- macOS devices enrolled via Apple automated device enrollment
The second device is required because the primary device can't receive calls or text messages during the provisioning process.
Submit and view feedback for