question

Chned-6770 avatar image
0 Votes"
Chned-6770 asked AzureApprentice-3319 commented

[Intune] Disable MFA for specific devices for enrollment

So we wanted to hand out a few hundred notebooks in our organization which are intended for shared use next week. These notebooks aren't enrolled yet; we wanted to let our users enroll them in Intune. So the first user who will use the laptop needs to follow our manual to do so.

Only problem is that our organization is enforcing MFA; biggest problem is that most of these specific users don't have a cellphone or smartphone from our organization. Is there a way to exclude only these shared devices from having to use MFA when enrolling? Or does anyone have another, better solution for this last-minute issue?

Thanks in advance!

mem-intune-conditional-access
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LuDaiMSFT-0289 avatar image
0 Votes"
LuDaiMSFT-0289 answered

@Chned-6770 Thanks for posting in our Q&A.

To clarify this issue, we appreciate your help to check where did you enforce the MFA. Did you enable the MFA in users in Azure AD portal or enable the MFA in the conditional access?

If you enable the MFA in users in Azure AD portal, it is suggested to try to disable it temporarily.

And if you enable the MFA in the conditional access, it is recommended to try to exclude the Microsoft Intune Enrollment and Microsoft Intune cloud apps from the MFA conditional access policy. Also, it is needed to set "Devices to be Azure AD joined or Azure AD registered require Multi-Factor Authentication" to "No" in Azure AD portal. These settings will bypass the MFA.
106432-image.png

106340-image.png

Hope the above information will help.


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.



image.png (17.4 KiB)
image.png (68.4 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Chned-6770 avatar image
0 Votes"
Chned-6770 answered LuDaiMSFT-0289 commented

Thanks for your information. The only problem is that only this specific batch of notebooks needs to be excluded from the need of MFA at enrollment....
Is that also possible?

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@Chned-6770 Based on my understanding, it can't only enroll this specific batch of notebooks without MFA. Because the organization enforces MFA, it means all devices or users need to MFA validation. When we excluded from the need of MFA at enrollment, it will make all device enrollment without MFA.

Please understand that MFA is a feature in Azure AD and not intune. Given this situation, it is better to contact Azure AD to find more help. Here is the online support link and hope it helpful.
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-troubleshooting-support-howto

Thanks for understanding.

0 Votes 0 ·
AzureApprentice-3319 avatar image
0 Votes"
AzureApprentice-3319 answered AzureApprentice-3319 commented

@Chned-6770 You can create a group where all of the included members are excluded from MFA. After they enroll you can exclude them. That's how we do it at our organization.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@AzureApprentice-3319 - Would you be able to elaborate on where you created this group and what policy you applied to it? We're running into same issue and need to exclude users from MFA when techs set up their laptops for them.

0 Votes 0 ·

I personally did not create the policy hopefully this will help you:
https://docs.microsoft.com/en-us/azure/active-directory/governance/conditional-access-exclusion
Right now we add the user to the group where MFA is turned off and that lets the user pass the legacy authentication of macOS during the initial configuration of macOS.
Keep in mind that the legacy authentication is used on devices which where shipped with a default macOS version older than Big Sur. If the factory version of the Mac devices is Big Sur or later you can use modern authentication, but this needs to be enabled. It's very important to remove the user from the MFA exclude group after the legacy authentication is complete, since otherwise this user can be easily compromised.

0 Votes 0 ·