Enable Conditional Access and MFA (Multi factor authentication)



This step by step tutorial will take you through how to configure Conditional Access and MFA (Multi Factor Authentication) for Intune / Endpoint Manager.

This is Part 3 of a 13 part series.

=======================================================================

Welcome to part 3 of my thirteen part series of tutorials taking you step by step on how to configure Microsoft Endpoint Manager / Intune, from initial DNS config up to Autopilot and application deployment. This series gives you all the knowledge you need for you to successfully deploy a basic Intune / Endpoint Manager environment.

Initial Tenant and Intune Configuration
1. Configure DNS and CNAME - Link
2. Company Branding - Self Service Password Reset (SSPR) - Enable Enterprise State Roaming - Link
3. Enable Conditional Access and MFA (Multi factor authentication)Link - This Article
4. Configure Conditional Access Terms of Use - Link
5. Company Terms and Conditions - Link 
6. User and Device Groups, and Device Categories - Link
7. Set-up Autopilot profile and configure MAM and MDM scope for automatic enrollment - Link
7a. More information regarding options for configuring the MDM and MAM user scopes - Link 
8. Enrollment Status Page - Link
9. Enrollment Restrictions
 - Link
10. Deploying Microsoft 365 apps (Office apps) - Link
11. Enable Microsoft Store for Business and publish the Company Portal app - Link
12. Assign Company Portal app - Link 
13. Test autopilot via register online - Link

If you don't have a test environment for Intune / Endpoint Manager, just follow this guide on 
How to get a Free Developer Tenant with 25 x E5 licenses and a free Top Level domain name - Link

=====================================================================

3. Enable Conditional Access and MFA (Multi factor authentication)

Resources -
Create a Conditional Access policy - Link
Enable Named Locations - Link

=======================================================================

MFA - Multi Factor Authentication options - Link


 

Basic MFA if no Azure AD Premium licensing
Admin Center - Select the user - Manage multifactor authentication - Select user - Enable - Enable

 

=====================================================================

Disable Security Defaults
Before enabling Conditional Access, you must disable Security Defaults

  1. Sign in to the Azure portal as a security administrator, Conditional Access administrator, or global administrator.
  2. Browse to Azure Active Directory > Properties.



Properties - Manage security defaults

Under Enable Security defaults - Select - No
Select why you are disabling.
Save


====================================================================

Create an Azure AD security group to target users for MFA

Endpoint Manager - Groups - New Group


Group type - Security
Group name - AAD_Sec_User_MFA
Group description - Users that have MFA enforced


Under Members - Select - No members selected -


Add the members to the group -
Select


Create -

The group will now be created



===================================================================

Enable Conditional Access and MFA (Multi factor Authentication)

Important - Conditional Access can block YOUR account from accessing Azure if not configured correctly. Make sure you understand FULLY what the implications are when creating a Conditional Access Policy.

In this instance, this Conditional Access Policy is only targeting a specific group, and my global admin account is not a member of this group, but is already configured for MFA.

Conditional Access -
Link
Azure Portal - Azure AD - Security -


Conditional Access -


New Policy -


Name - MFA for users
Assignments - Users and Groups - Select - 0 users and groups selected


As I am targeting the group we created - Select -
Select users and groups - Users and groups


The search box will appear -
Search for the group we just created - AAD_Sec_User_MFA
Select the group
Click - Select


The group will now appear in the Include section


Under the section - Cloud apps or action - Select - No cloud apps or actions selected



Select - Cloud Apps
Under Include - Click - Select Apps -


The Select option will appear

Select - Office 365
Click - Select


Under Conditions - Click - 0 conditions selected
Options will appear on the right


In this instance I am not selecting any other conditions

Under access controls - Under Grant - Click - 0 controls selected