“With these instructions you’ll be able to successfully enrol both iOS and Android device into Intune without multifactor authentication.”

iOS Automated Device enrollment (Apple DEP) with single app mode and Android Enterprise Zero Touch enrollment (Samsung KME and Google Zero Touch) locks the devices into the Intune enrollment process. Users will not be able to access the phone until the device is fully enrolled.

With this scenario, users will not be able to complete the MFA challenge on the same device because the device cannot receive calls or text messages during the enrollment process.

One workaround is to bypass MFA during Microsoft Intune Enrollment.

Configure Microsoft Intune to Bypass MFA during device enrolment for iOS and Android Devices

There are two settings that need to be checked to prevent the MFA prompt during enrollment.

1. Azure Active Directory > Security > Conditional Access > Policies

Conditional Access exclusion for Microsoft Intune Enrollment.

insight 1.png

Microsoft Intune

0000000a-0000-0000-c000-000000000000

Microsoft Intune Enrollment

d4ebce55-015a-49b5-a083-c84d1797ae8c

2. Azure Active Directory > Devices > Device Settings

Confirm or disable “Require Multi-Factor Auth on join devices”.

 

Note: This should be disabled by default on a new tenant.

insight 2.png

For now, Require Multi-Factor Auth on join devices is a global option and will impact all devices, eventually this will be migrated into Conditional Access where you will have more control.

Conclusion

With these instructions, you’ll be able to successfully enroll both iOS and Android devices into Intune without multifactor authentication. This is necessary for iOS single-app and Android Enterprise Zero Touch enrolment use cases.

Microsoft Intune is a part of Microsoft Endpoint Manager and provides the cloud infrastructure, the cloud-based mobile device management (MDM), cloud-based mobile application management (MAM), and cloud-based PC management for your company.

If you would like support for your Intune environment or just someone to reach out to when you have questions, consider our Endpoint Support service, or contact us.

REDEN BONITA

My interest in Information Technology even at young age made me decide to take a degree in Bachelor of Science in Computer Engineering and my passion motivated me to complete it. Having been in the industry for 15 years now, I think my interest in it has matured just like me. I feel grateful that I can pursue this passion on a daily basis while still being able to spend quality time with my family.

Download the Six Pillars of Modern Endpoint Management

Deep Dive Concepts such as:

  • Zero Trust
  • Passwordless Authentication
  • Zero Touch Provisioning
  • App Management
  • Over-The-Air Updates
  • Remote Support