How to Enable Require MFA for Entra ID Domain Join and Registration

Require MFA for Entra ID join

Azure Active Directory that brings more granularity to the MFA requirement for device registration and Entra ID domain join.

It is recommended to enforce MFA before a user can register or join their device to Entra ID. This ensures that compromised accounts cannot be used to add rogue devices to Azure Active Directory. This setting can be found in the Device settings blade in Azure Active Directory.

You can change the setting to Yes to require Multi-Factor Authentication to register or join devices with Entra ID.

But, this setting was having some caveats and causing some inconvenience for end-users. If your company has a Microsoft 365 tenant includes Azure Active Directory P1 or P2 licenses, you can using Conditional Access to require MFA with more controls and flexible.

Entra ID Conditional Access

Microsoft released a new user action in Entra ID Conditional Access that ultimately replaces this previous setting.

With Conditional Access you can configure require MFA when register or join action for specific users, groups, or roles. You are also able to use some conditions like device platform and locations. Sign-in and user risk are also available. To give you some examples of what you can do:

Require MFA for device registration from untrusted locations only.
Require MFA for device registration when user risk is medium or higher.
Require MFA for specific operating systems like Android or iOS.

Require MFA for device registration from untrusted locations only:

MFA will not prompt: If users register or join devices from trusted IPs or locations.
MFA prompt: When users register or join devices from untrusted IPs or locations like outside of company office, or foreign countries.

Currently, this user action only allows you to enable MFA as a control when users register or join devices to Entra ID. Other controls that are dependent on or not applicable to Entra ID device registration are disabled with this user action.