Table of Contents
Require MFA for Azure AD join
Azure Active Directory that brings more granularity to the MFA requirement for device registration and Azure AD domain join.
Because this setting was having some caveats and causing some inconvenience for end-users, this setting was mostly disabled, despite the fact that this is not the recommended option.
Disable Require MFA for Azure AD Domain Join
Note: It is recommended to enforce MFA before a user can register or join their device to Azure AD. This ensures that compromised accounts cannot be used to add rogue devices to Azure Active Directory.
To disable Require MFA for Azure AD Domain Join:
1. Login into Azure Active Directory using a global admin account.
2. Select Azure Active Directory then select Devices under Manage section.
Finally, try to joining a device to Azure AD to verify it works.
More granularity
Microsoft released a new user action in Azure AD Conditional Access that ultimately replaces this previous setting.
With Conditional Access you can configure require MFA when register or join action for specific users, groups, or roles. You are also able to use some conditions like device platform and locations. Sign-in and user risk are also available. To give you some examples of what you can do:
- Require MFA for device registration from untrusted locations only.
- Require MFA for device registration when user risk is medium or higher.
- Require MFA for specific operating systems like Android or iOS.
Currently, this user action only allows you to enable MFA as a control when users register or join devices to Azure AD. Other controls that are dependent on or not applicable to Azure AD device registration are disabled with this user action.
