Hi
When we initially migrated from Android Device Administrator to Android Enterprise we came across an issue with user enrolment in fully managed mode.
If the device the user had just factory reset was the same device they previously used for MFA then they could not complete MFA on said device (too early in device boot process to receive a text or an app prompt)
Microsoft gave us two options at that point
Exclude the user from MFA during enrolment.
Ask the user to MFA using an alternative device
We chose option 1 and excluded users from our current CA policy during enrolment.
This CA policy provides to controls
MFA required
Require device to be marked as compliant.
We were not too concerned about the device compliance as if a device was non compliant removing the user from the CA exclusion would ensure the device would have to be made compliant or users would lose access to company resources.
This was never an ideal situation but its what we had at the time.
Microsoft have attempted to address this situation by adding suggesting that we exclude the following cloud app from the CA policy 'intune enrolment'
I tested this and I still faced an MFA prompt during enrolment. I confirmed using whatif that no other CA policy was in affect for my user account. I did some technet deep diving and found that other users has experienced the same issue recently. They have been advised that they now need to exclude both 'Intune' AND 'Intune Enrolment' so that users can enrol without any MFA prompt.
I tested this and it works.
With our current CA policy granting both device marked as compliant and MFA then excluding 'Intune' from this does this mean this CA policy will no longer mark our devices as uncompliant and block access to resourced because we are excluding the cloud service 'intune'?
