Require multi-factor authentication for Intune device enrollments
Intune can use Azure Active Directory (AD) multi-factor authentication (MFA) for device enrollment to help you secure your corporate resources.
MFA works by requiring any two or more of the following verification methods:
- Something you know (typically a password or PIN).
- Something you have (a trusted device that is not easily duplicated, like a phone).
- Something you are (biometrics, like a fingerprint).
MFA is supported for iOS/iPadOS, Android, Windows 8.1 or later, Windows Phone 8.1, or Windows 10 Mobile or later devices.
When you enable MFA, end users must supply two forms of credentials to enroll a device.
Configure Intune to require multi-factor authentication at device enrollment
To require MFA when a device is enrolled, follow these steps:
You must have an Azure Active Directory Premium P1 or above assigned to your users to implement this policy.
Do not configure Device based access rules for Microsoft Intune enrollment.
- Sign in to the Microsoft Endpoint Manager Admin Center, choose Devices > Conditional Access. The Conditional Access node accessed from Intune is the same node as accessed from Azure AD.
- Choose New policy.
- In New policy, type a descriptive name for the policy.
- In the Assignments section, choose Users and groups.
- In Users and groups, choose Select users or groups, and check Users and groups. Then select the users and /or groups that will receive this policy, then choose Done.
- In the Assignments section, choose Cloud apps.
- On the Include tab of Cloud apps, choose Select apps, then choose Select > Microsoft Intune Enrollment, and then choose Done. By choosing Microsoft Intune Enrollment, conditional access MFA is applied only to the enrollment of the device (one-time MFA prompt).
- In the Assignments section, for Conditions you do not need to configure any settings for MFA.
- In the Access controls section, choose Grant.
- In Grant, choose Grant access, and then select Require multi-factor authentication. Do not select Require device to be marked as compliant because a device cannot be evaluated for compliance until it is enrolled. Then choose Select.
- In New policy, choose Enable policy > On, and then choose Create.
When end users enroll their device, they now must authenticate with a second form of identification, like a PIN, a phone, or biometrics.