question

testuser7-8288 avatar image
0 Votes"
testuser7-8288 asked ·

microsoft intune on CA-policy

I have a recollection that out of 2 similar apps i.e., Microsoft Intune Enrollment and Microsoft Intune on conditional-access policy, I believe we should use Microsoft Intune.
Is it a correct understanding for example, if we want to wrap MFA for Intune enrollment we should use Microsoft Intune as cloud resource ?

We are standing up a new tenant and hence we should do what MS is recommending.
I believe they are phasing out Microsoft Intune Enrollment

Appreciate your help !!!

Thanks.






mem-intune-generalmem-intune-enrollment
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

Jason-MSFT avatar image
1 Vote"
Jason-MSFT answered ·

The above is correct as you generally don't want MFA or CA to be enforce during enrollment which is want the enrollment application is specific to. From memory, it's not so much that we are phasing out this application, but it's not shown in new tenants to prevent confusion and prevent MFA/CA from applying to it.

· 8 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks @Jason-MSFT
So Microsoft Intune is the cloud resource we should be using.

The other aspect is where I have a disagreement.
We do want to do MFA while user is enrolling his android device on Intune.
So we want to create conditional policy with cloud-resource= Microsoft Intune

Is my design correct ?

Thanks.

0 Votes 0 ·

We do want to do MFA while user is enrolling his android device on Intune.

This is impossible to do with new users though as they don't have an enrolled device to perform MFA on and so you have a catch-22.

0 Votes 0 ·

Hi @Jason-MSFT

I guess I am missing some important point here.

Why do we need ENROLLED device to perform MFA ?
In fact I was thinking that AAD will send the Text message to the same mobile phone which user is trying to enroll with Intune as BYOD enrollment.
The user is NOT new to the organization. He has used combined registration portal and registered "Text message" as MFA-method.


I understand that if I have clubbed CA-policy to enroll only from compliant device then it will certainly fail because the mobile device is NOT yet enrolled and hence the compliant status has not reached to AAD


Appreciate your help !!!

Thanks.








0 Votes 0 ·

I'm not saying you don't want this necessarily, I'm simply saying that this is the common case and reason. Although, sending a text message to the device currently being enrolled seems pointless as it doesn't prove or prevent anything with regard to that device. You can certainly enable it if that's your desire though.

0 Votes 0 ·

Got it.. Thanks @Jason-MSFT

So technically it is NOT a catch-22 scenario. If needed, we can definitely perform MFA during Intune enrollment.


I am not fully convince how it is pointless, though.
If you have my AAD password, the only way I can stop you registering your Android device in my AAD and enrolled in my Intune is if there is MFA required.


I guess the goal here is NOT to validate which device is getting enrolled.
The focus is only authorized people's devices get registered and enrolled.


Once again thanks for confirming.

0 Votes 0 ·

It's a catch-22 for new users with new devices and there's no way to distinguish this from existing users.

0 Votes 0 ·

oh yes, absolutely, if it is a brand new user who has never undergone MFA-registration, it is a catch-22 (unless MFA pre-registration has carried out while he was provisioned in the tenant)

0 Votes 0 ·

Right, so this is a limitation today and there's no way to distinguish between the two thus making it a difficult overall scenario to manage.

1 Vote 1 ·