Intune 设备注册的多重身份验证Multi-factor authentication for Intune device enrollments

适用于:经典门户中的 IntuneApplies to: Intune in the classic portal
在寻找有关 Azure 门户中 Intune 的文档吗?Looking for documentation about Intune in the Azure portal? 请转到此处Go here.

Intune 集成 Azure AD 多重身份验证 (MFA) 用于设备注册,从而帮助你保护公司资源的安全。Intune integrates Azure AD multi-factor authentication (MFA) for device enrollment to help you secure your corporate resources.

MFA 需要使用以下任意两种或多种验证方法:MFA works by requiring any two or more of the following verification methods:

  • 你知道的信息(通常为密码或 PIN)。Something you know (typically a password or PIN).
  • 你拥有的东西(不容易复制的受信任设备,如手机)。Something you have (a trusted device that is not easily duplicated, like a phone).
  • 你自身的特征(生物识别)。Something you are (biometrics).

在 iOS、Android、Windows 8.1 或更高版本、或 Windows Phone 8.1 或更高版本的设备中均支持 MFA。MFA is supported for iOS, Android, Windows 8.1 or later, or Windows Phone 8.1 or later devices.


在较旧版本的配置管理器(早于版本 1610 的版本)中,你仍可以在配置管理器管理员控制台中看到 MFA 设置。In older versions of Configuration Manager (earlier than release 1610), you will still see the MFA setting in the Configuration Manager admin console. 请勿尝试在配置管理器管理员控制台中配置 MFA,因为此操作无法生效。Do not attempt to configure MFA in the Configuration Manager admin console, as it will not work. 按照本主题所述配置 MFA。Configure MFA as described in this topic.

将 Intune 配置为要求对设备注册进行多重身份验证Configure Intune to require multi-factor authentication at device enrollment

若要在注册设备时需要 MFA,请执行以下步骤:To require MFA when a device is enrolled, follow these steps:

  1. 使用管理员凭据登录到 Microsoft Azure 门户Sign in to your Microsoft Azure portal with your admin credentials.

  2. 选择你的租户。Choose your tenant.

  3. 选择“应用程序”选项卡。你将看到一个服务列表,可以为该列表中的服务配置 Azure AD 安全功能。Choose the applications tab. You will see a list of services for which you can configure Azure AD security features.

  4. 选择“Microsoft Intune 注册”。Choose Microsoft Intune enrollment.

  5. 选择配置Choose Configure.

  6. 在“多重身份验证和基于位置的访问规则中,你可以:Under multi-factor authentication and location-based access rules you can:

    • 启用访问规则Enable the access rules
    • 选择是否对所有用户或特定 Azure AD 安全组应用该规则。Choose whether to apply the rules to all users or to specific Azure AD security groups.
    • 要求对所有设备的注册进行多重身份验证。Require multi-factor authentication for enrollment of all devices.
    • 在设备未工作时,要求对注册进行多重身份验证。Require multi-factor authentication for enrollment when the device is not at work.
    • 选择“阻止访问企业资源”,在设备尚未连接到企业网络时阻止该设备注册。Choose Block access to corporate resources to prevent enrollment of a device when it is not connected to the corporate network.
  7. 你还可以单击链接以定义/编辑你的工作网络位置,以便配置对设备注册的网络连接要求。You can also click the link to define/edit your work network location, to configure network connectivity requirements for device enrollment.


请勿为 Microsoft Intune 注册配置基于设备的访问规则Do not configure Device based access rules for Microsoft Intune Enrollment.