This step by step tutorial will take you through how to configure Conditional Access and MFA (Multi Factor Authentication) for Intune / Endpoint Manager.
This is Part 3 of a 13 part series.
=======================================================================
Welcome to part 3 of my thirteen part series of tutorials taking you step by step on how to configure Microsoft Endpoint Manager / Intune, from initial DNS config up to Autopilot and application deployment. This series gives you all the knowledge you need for you to successfully deploy a basic Intune / Endpoint Manager environment.
Initial Tenant and Intune Configuration
1. Configure DNS and CNAME - Link
2. Company Branding - Self Service Password Reset (SSPR) - Enable Enterprise State Roaming - Link
3. Enable Conditional Access and MFA (Multi factor authentication) - Link - This Article
4. Configure Conditional Access Terms of Use - Link
5. Company Terms and Conditions - Link
6. User and Device Groups, and Device Categories - Link
7. Set-up Autopilot profile and configure MAM and MDM scope for automatic enrollment - Link
7a. More information regarding options for configuring the MDM and MAM user scopes - Link
8. Enrollment Status Page - Link
9. Enrollment Restrictions - Link
10. Deploying Microsoft 365 apps (Office apps) - Link
11. Enable Microsoft Store for Business and publish the Company Portal app - Link
12. Assign Company Portal app - Link
13. Test autopilot via register online - Link
If you don't have a test environment for Intune / Endpoint Manager, just follow this guide on
How to get a Free Developer Tenant with 25 x E5 licenses and a free Top Level domain name - Link
=====================================================================
3. Enable Conditional Access and MFA (Multi factor authentication)
Resources -
Create a Conditional Access policy - Link
Enable Named Locations - Link
=======================================================================
MFA - Multi Factor Authentication options - Link
Basic MFA if no Azure AD Premium licensing
Admin Center - Select the user - Manage multifactor authentication - Select user - Enable - Enable
=====================================================================
Disable Security Defaults
Before enabling Conditional Access, you must disable Security Defaults
- Sign in to the Azure portal as a security administrator, Conditional Access administrator, or global administrator.
- Browse to Azure Active Directory > Properties.
Properties - Manage security defaults
Under Enable Security defaults - Select - No
Select why you are disabling.
Save
====================================================================
Create an Azure AD security group to target users for MFA
Endpoint Manager - Groups - New Group
Group type - Security
Group name - AAD_Sec_User_MFA
Group description - Users that have MFA enforced
Under Members - Select - No members selected -
Add the members to the group -
Select
Create -
The group will now be created
===================================================================
Enable Conditional Access and MFA (Multi factor Authentication)
Important - Conditional Access can block YOUR account from accessing Azure if not configured correctly. Make sure you understand FULLY what the implications are when creating a Conditional Access Policy.
In this instance, this Conditional Access Policy is only targeting a specific group, and my global admin account is not a member of this group, but is already configured for MFA.
Conditional Access - Link
Azure Portal - Azure AD - Security -
Conditional Access -
New Policy -
Name - MFA for users
Assignments - Users and Groups - Select - 0 users and groups selected
As I am targeting the group we created - Select -
Select users and groups - Users and groups
The search box will appear -
Search for the group we just created - AAD_Sec_User_MFA
Select the group
Click - Select
The group will now appear in the Include section
Under the section - Cloud apps or action - Select - No cloud apps or actions selected
Select - Cloud Apps
Under Include - Click - Select Apps -
The Select option will appear
Select - Office 365
Click - Select
Under Conditions - Click - 0 conditions selected
Options will appear on the right
In this instance I am not selecting any other conditions
Under access controls - Under Grant - Click - 0 controls selected