Table of Contents
Require MFA for Azure AD join
Azure Active Directory that brings more granularity to the MFA requirement for device registration and Azure AD domain join.
It is recommended to enforce MFA before a user can register or join their device to Azure AD. This ensures that compromised accounts cannot be used to add rogue devices to Azure Active Directory. This setting can be found in the Device settings blade in Azure Active Directory.
You can change the setting to Yes to require Multi-Factor Authentication to register or join devices with Azure AD.
But, this setting was having some caveats and causing some inconvenience for end-users. If your company has a Microsoft 365 tenant includes Azure Active Directory P1 or P2 licenses, you can using Conditional Access to require MFA with more controls and flexible.
Azure AD Conditional Access
Microsoft released a new user action in Azure AD Conditional Access that ultimately replaces this previous setting.
With Conditional Access you can configure require MFA when register or join action for specific users, groups, or roles. You are also able to use some conditions like device platform and locations. Sign-in and user risk are also available. To give you some examples of what you can do:
- Require MFA for device registration from untrusted locations only.
- Require MFA for device registration when user risk is medium or higher.
- Require MFA for specific operating systems like Android or iOS.
Require MFA for device registration from untrusted locations only:
- MFA will not prompt: If users register or join devices from trusted IPs or locations.
- MFA prompt: When users register or join devices from untrusted IPs or locations like outside of company office, or foreign countries.
Currently, this user action only allows you to enable MFA as a control when users register or join devices to Azure AD. Other controls that are dependent on or not applicable to Azure AD device registration are disabled with this user action.
Note: when you are using Conditional Access with this user action, the “original” device setting option should be set to No.