Multi-factor authentication for Intune device enrollments
|Applies to: Intune in the classic portal|
|Looking for documentation about the Intune Azure portal preview? Go here.|
Intune integrates Azure AD multi-factor authentication (MFA) for device enrollment to help you secure your corporate resources.
MFA works by requiring any two or more of the following verification methods:
- Something you know (typically a password or PIN).
- Something you have (a trusted device that is not easily duplicated, like a phone).
- Something you are (biometrics).
MFA is supported for iOS, Android, Windows 8.1 or later, or Windows Phone 8.1 or later devices.
In older versions of Configuration Manager (earlier than release 1610), you will still see the MFA setting in the Configuration Manager admin console. Do not attempt to configure MFA in the Configuration Manager admin console, as it will not work. Configure MFA as described in this topic.
Configure Intune to require multi-factor authentication at device enrollment
To require MFA when a device is enrolled, follow these steps:
- Sign in to your Microsoft Azure portal with your admin credentials.
- Choose your tenant.
- Choose the applications tab. You will see a list of services for which you can configure Azure AD security features.
- Choose Microsoft Intune enrollment.
- Choose Configure.
Under multi-factor authentication and location-based access rules you can:
- Enable the access rules
- Choose whether to apply the rules to all users or to specific Azure AD security groups.
- Require multi-factor authentication for enrollment of all devices.
- Require multi-factor authentication for enrollment when the device is not at work.
- Choose Block access to corporate resources to prevent enrollment of a device when it is not connected to the corporate network.
- You can also click the link to define/edit your work network location, to configure network connectivity requirements for device enrollment.
Do not configure Device based access rules for Microsoft Intune Enrollment.