“With these instructions you’ll be able to successfully enrol both iOS and Android device into Intune without multifactor authentication.”
iOS Automated Device enrollment (Apple DEP) with single app mode and Android Enterprise Zero Touch enrollment (Samsung KME and Google Zero Touch) locks the devices into the Intune enrollment process. Users will not be able to access the phone until the device is fully enrolled.
With this scenario, users will not be able to complete the MFA challenge on the same device because the device cannot receive calls or text messages during the enrollment process.
One workaround is to bypass MFA during Microsoft Intune Enrollment.
Configure Microsoft Intune to Bypass MFA during device enrolment for iOS and Android Devices
There are two settings that need to be checked to prevent the MFA prompt during enrollment.
1. Azure Active Directory > Security > Conditional Access > Policies
Conditional Access exclusion for Microsoft Intune Enrollment.
Microsoft Intune
0000000a-0000-0000-c000-000000000000
Microsoft Intune Enrollment
d4ebce55-015a-49b5-a083-c84d1797ae8c
2. Azure Active Directory > Devices > Device Settings
Confirm or disable “Require Multi-Factor Auth on join devices”.
Note: This should be disabled by default on a new tenant.
For now, Require Multi-Factor Auth on join devices is a global option and will impact all devices, eventually this will be migrated into Conditional Access where you will have more control.
Conclusion
With these instructions, you’ll be able to successfully enroll both iOS and Android devices into Intune without multifactor authentication. This is necessary for iOS single-app and Android Enterprise Zero Touch enrolment use cases.
Microsoft Intune is a part of Microsoft Endpoint Manager and provides the cloud infrastructure, the cloud-based mobile device management (MDM), cloud-based mobile application management (MAM), and cloud-based PC management for your company.
If you would like support for your Intune environment or just someone to reach out to when you have questions, consider our Endpoint Support service, or contact us.
Download the Six Pillars of Modern Endpoint Management
Deep Dive Concepts such as:
- Zero Trust
- Passwordless Authentication
- Zero Touch Provisioning
- App Management
- Over-The-Air Updates
- Remote Support