Coming with the December 2016 update of the Intune service, we are enhancing the options to require MFA (Multi-Factor Authentication) enforcement during device enrollment. Prior to this change, the MFA requirement could be configured within the Intune Admin console and only applied to Windows devices. The configuration looked like this:
The new method will be configured via the Windows Azure Portal (https://manage.windowsazure.com) under: Active Directory, <Select the directory related to your Intune subscription>, Applications, “microsoft intune enrollment”, configure. The initial configuration will look like this:
One great benefit of this new method is that MFA can now be applied based on All Users or user groups. Also, the MFA enforcement is based on the users attempt to access the Intune enrollment service, so you do not have to enforce MFA for the user globally it’s now conditional. To learn more about Azure MFA go here. These means MFA will now be supported for almost all Intune Enrollment scenarios as long as they are using Modern Authentication and all device platforms. The Exception will continue to be Apple DEP enrollments as the enroll is done via the Apple Setup Assistance experience where Modern Authentication code is not available.
Included with this move to Azure AD Application Conditional Access are options to require MFA base on location as seen in the “Rules” option once the location base access rules are turned on:
This rule should be configured to meet to requirements of your organization. First, set the “Apply to” to either all users or specific groups…. You can also add Exceptions. You then have the rules options to always require MFA, only require MFA when not at work, or even block access when not at work. The “at work” is based on how you define your network location by selecting the link on the page. The IP addresses you define need to be defined as public IP addresses then will be seen by the Azure AD authentication service.
However, there is an option that could prevent the ability of users to enroll. Enabling device based access rules will result in an enrolment loop because compliance requirements cannot be met without completing enrolment.
DO NOT ENABLE the device base access rules:
The “Microsoft Intune Enrollment” application is used to grant user access to the Intune enrollment service. So, If you enable device based rules and require devices to be compliant, users will be denied access if a device is not compliant. A device can only become compliant by completing Intune enrollment and meeting any compliance policies assigned. Users would get a login error and be offered an “Enroll” option which links them to the enrollment method for the particular device platform (Windows enrollment instructions, Apple App Store – Company Portal, or Google Play store – Company Portal), effectively a loop they cannot get out of as they cannot meet the compliant requirement without completing enrollment. The device based access rules exist for all Azure AD applications and an exception could not be made for the Microsoft Intune enrollment applications.
One last note, the options above do require an Azure AD Premium P1 or P2 subscription for usage with your Intune subscription.
Intune Support Team