Require multi-factor authentication for Intune device enrollments
Intune can use Azure Active Directory (AD) multi-factor authentication (MFA) for device enrollment to help you secure your corporate resources.
MFA works by requiring any two or more of the following verification methods:
- Something you know (typically a password or PIN).
- Something you have (a trusted device that is not easily duplicated, like a phone).
- Something you are (biometrics, like a fingerprint).
MFA is supported for iOS, Android, Windows 8.1 or later, Windows Phone 8.1, or Windows 10 Mobile or later devices.
When you enable MFA, end users must supply two forms of credentials to enroll a device.
Configure Intune to require multi-factor authentication at device enrollment
To require MFA when a device is enrolled, follow these steps:
You must have an Azure Active Directory Premium P1 or above assigned to your users to implement this policy.
Do not configure Device based access rules for Microsoft Intune enrollment.
- Sign in to your Microsoft Azure portal with your credentials.
- In the portal, choose Azure Active Directory.
- In Azure Active Directory, choose Manage > Enterprise applications.
- In Enterprise applications, choose Manage > All applications. You see a list of all Azure apps that you manage.
- From the list, choose Microsoft Intune enrollment.
- In Microsoft Intune Enrollment, choose Security > Conditional access.
- Choose New policy.
- In New policy, type a descriptive name for the policy.
- In the Assignments section, choose Users and groups.
- In Users and groups, choose the users or groups that will receive this policy, then choose Done.
- In the Assignments section, choose Cloud apps.
- On the Include tab of Cloud apps, choose Select apps, then choose Select > Microsoft Intune Enrollment, and then choose Done.
- In the Assignments section, choose Conditions.
- In Conditions, you do not need to configure any settings for MFA.
- In the Access controls section, choose Grant.
- In Grant, choose Grant access, and then select Require multi-factor authentication. Do not select Require device to be marked as compliant because a device cannot be evaluated for compliance until it is enrolled.
- Choose Select.
- In New policy, choose Enable policy > On, and then choose Create.
When end users enroll their device, they now must authenticate with a second form of identification, like a PIN, a phone, or biometrics.