Require multifactor authentication for Intune device enrollment - Microsoft Intune (2024)

Applies to:

• Android
• iOS/iPadOS
• macOS
• Windows 8.1
• Windows 10
• Windows 11

You can use Intune together with Microsoft Entra Conditional Access policies to require multifactor authentication (MFA) during device enrollment. If you require MFA, employees and students wanting to enroll devices must first authenticate with a second device and two forms of credentials. MFA requires them to authenticate using two or more of these verification methods:

• Something they know, such as a password or PIN.
• Something they have that can't be duplicated, such as a trusted device or phone.
• Something they are, such as a fingerprint.

Prerequisites

To implement this policy, you must assign Microsoft Entra ID P1 or later to users.

Configure Intune to require multifactor authentication at device enrollment

Complete these steps to enable multi-factor authentication during Microsoft Intune enrollment.

1. Sign in to the Microsoft Intune admin center.

2. Go to Devices > Conditional access. This area is the same as the conditional access area available in Microsoft Entra ID. For more information about the available settings, see Cloud apps or actions.

3. Choose Create new policy.

   See Also

   Add apps to Microsoft Intune

4. Name your policy.

5. Select the Users category.

   1. Under the Include tab, choose Select users or groups.
   2. Additional options appear. Select Users and groups. A list of users and groups opens.
   3. Add the users or groups you're assigning the policy to, and then choose Select.
   4. To exclude users or groups from the policy, select the Exclude tab and add those users or groups like you did in the previous step.

6. Select the next category, Target resources.

   1. Select the Include tab.
   2. Choose Select apps > Select.
   3. Choose Microsoft Intune Enrollment > Select to add the app. Use the search bar in the app picker to find the app.

   For Apple automated device enrollments using Setup Assistant with modern authentication, you have two options to choose from. The following table describes the difference between the Microsoft Intune option and Microsoft Intune Enrollment option.

   Cloud app	MFA prompt location	Automated Device Enrollment notes
   Microsoft Intune	Setup Assistant, Company Portal app	With this option, MFA is required during enrollment and each time the user signs into the Company Portal app or website. The MFA prompts appear on the Company Portal sign-in page.
   Microsoft Intune Enrollment	Setup Assistant	With this option, MFA is required during device enrollment and appears as a one-time MFA prompt on the Company Portal sign-in page.

7. Select the Grant category.

   1. Select Require multifactor authentication and Require device to be marked as compliant.
   2. Under For multiple controls, select Require all the selected controls.
   3. Choose Select.

8. Select the Session category.

   1. Select Sign-in frequency and choose Every time.
   2. Choose Select.

9. For Enable policy, select On.

10. Select Create to save and create your policy.

After you apply and deploy this policy, users will see a one-time MFA prompt when they enroll their device.