Merge pull request #8322 from MicrosoftGuyJFlo/SignInFrequencyAdd

v-stsavell · web-flow · commit 0be3e74087ed · 2022-08-29T11:52:23.000-05:00
[Intune] Conditional Access Sign In Frequency MFA Enrollment
diff --git a/memdocs/intune/enrollment/multi-factor-authentication.md b/memdocs/intune/enrollment/multi-factor-authentication.md
@@ -1,14 +1,14 @@
 ---
 # required metadata
 
-title: Require multi-factor authentication for Intune device enrollment
+title: Require multifactor authentication for Intune device enrollment
 titleSuffix: Microsoft Intune
-description: How to require multi-factor authentication in Azure AD for Intune device enrollment.
+description: How to require multifactor authentication in Azure AD for Intune device enrollment.
 keywords:
 author: Lenewsad
 ms.author: lanewsad
 manager: dougeby
-ms.date: 04/27/2021
+ms.date: 08/25/2022
 ms.topic: how-to
 ms.service: microsoft-intune
 ms.subservice: enrollment
@@ -28,12 +28,11 @@ search.appverid: MET150
 ms.custom: intune-azure
 ms.collection: M365-identity-device-management
 ---
-
-# Require multi-factor authentication for Intune device enrollments
+# Require multifactor authentication for Intune device enrollments
 
 [!INCLUDE [azure_portal](../includes/azure_portal.md)]
 
-Intune can use Azure Active Directory (AD) Conditional Access policies to require multi-factor authentication (MFA) for device enrollment to help you secure your corporate resources.
+Intune can use Azure Active Directory (Azure AD) Conditional Access policies to require multifactor authentication (MFA) for device enrollment to help you secure your corporate resources.
 
 MFA works by requiring any two or more of the following verification methods:
 
@@ -43,49 +42,58 @@ MFA works by requiring any two or more of the following verification methods:
 
 MFA is supported for iOS/iPadOS, macOS, Android, and Windows 8.1 or later devices.
 
-When you enable MFA, end users needs a second device and must supply two forms of credentials to enroll a device.
+When you enable MFA, end users need a second device, and must supply two forms of credentials to enroll a device.
 
-## Configure Intune to require multi-factor authentication at device enrollment
+## Configure Intune to require multifactor authentication at device enrollment
 
 To require MFA when a device is enrolled, follow these steps:
 
->[!Important]
->You must have an Azure Active Directory Premium P1 or above assigned to your users to implement this policy.
-
->[!Important]
->Don't configure **Device based access rules** for Microsoft Intune enrollment.
-
-1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), choose **Devices** > **Conditional Access**. The Conditional Access node accessed from *Intune* is the same node as accessed from *Azure AD*.
-2. Choose **New policy**.
-3. In **New** policy, type a descriptive name for the policy.
-4. In the **Assignments** section, choose **Users and groups**. 
-5. In **Users and groups**, choose **Select users or groups**, and check **Users and groups**. Then select the users and /or groups that will receive this policy, then choose **Done**.
-6. In the **Assignments** section, choose **Cloud apps**.
-7. On the **Include** tab of **Cloud apps**, choose **Select apps**, then choose **Select** > **Microsoft Intune Enrollment**, and then choose **Done**. By choosing Microsoft Intune Enrollment, conditional access MFA is applied only to the enrollment of the device (one-time MFA prompt).
-
-    For Apple Automated Device Enrollments using **Setup assistant with modern authentication**, you have two options:
-
-    | Cloud app | MFA prompt location | Automated Device Enrollment notes |
-    | --- | --- | --- |
-    | **Microsoft Intune** | Setup Assistant,<br>Company Portal app | With this option, MFA is required during enrollment and for each login to the Company Portal app/Company Portal website. Conditional access MFA is applied only to the login of the Company Portal on the device. |
-    | **Microsoft Intune Enrollment** | Setup Assistant | With this option, MFA is applied only to the enrollment of the device (one-time MFA prompt). Conditional access MFA is applied only to the login of the Company Portal on the device. |
-
-8. Choose **Done**.
-9. In the **Assignments** section, for **Conditions** you don't need to configure any settings for MFA.
-10. In the **Access controls** section, choose **Grant**.
-11. In **Grant**, choose **Grant access**, and then select **Require multi-factor authentication** and **Require device to be marked as compliant**. Then choose **Select**.
-12. In **New policy**, choose **Enable policy** > **On**, and then choose **Create**.
+> [!IMPORTANT]
+> You must have an Azure Active Directory Premium P1 or above assigned to your users to implement this policy.
+
+> [!IMPORTANT]
+> Don't configure **Device based access rules** for Microsoft Intune enrollment.
+
+1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Browse to **Devices** > **Conditional Access**. The Conditional Access node accessed from *Intune* is the same node as accessed from *Azure AD*.
+1. Choose **New policy**.
+1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
+1. Under **Assignments**, select **Users or workload identities**.
+   1. Under **Include**, select **Select users or groups**, and check **Users and groups**. Then select the users and/or groups that will receive this policy
+   1. Choose **Select**.
+1. Under **Cloud apps or actions** > **Include**.
+   1. Choose **Select apps** > **Microsoft Intune Enrollment**.
+   1. Choose **Select**.
+     By choosing Microsoft Intune Enrollment, Conditional Access MFA is applied only to the enrollment of the device (one-time MFA prompt).
+
+     For Apple Automated Device Enrollments using **Setup assistant with modern authentication**, you have two options:
+    
+     | Cloud app | MFA prompt location | Automated Device Enrollment notes |
+     | --- | --- | --- |
+     | **Microsoft Intune** | Setup Assistant,<br>Company Portal app | With this option, MFA is required during enrollment and for each login to the Company Portal app/Company Portal website. Conditional Access MFA is applied only to the login of the Company Portal on the device. |
+     | **Microsoft Intune Enrollment** | Setup Assistant | With this option, MFA is applied only to the enrollment of the device (one-time MFA prompt). Conditional Access MFA is applied only to the login of the Company Portal on the device. |
+
+1. Under **Conditions** you don't need to configure any settings for MFA.
+1. Under **Access controls** > **Grant**
+   1. Select **Require multifactor authentication** and **Require device to be marked as compliant**.
+   1. Ensure **Require all the selected controls** is selected under **For multiple controls**.
+   1. Choose **Select**.
+1. Under **Session**.
+   1. Select **Sign-in frequency**.
+   1. Ensure **Every time** is selected.
+   1. Select **Select**.
+1. In **New policy**, choose **Enable policy** > **On**, and then choose **Create**.
 
 > [!NOTE]
 > A second device is required to complete the MFA challenge for corporate devices like the following:
+>
 > - Android Enterprise Fully Managed.
 > - Android Enterprise Corporate Owned Work Profile.
 > - iOS/iPadOS Automated Device Enrollment.
 > - macOS Automated Device Enrollment.
 >
 > The second device is required because the primary device can't receive calls or text messages during the provisioning process.
 
-
 ## Next steps
 
 When end users enroll their device, they now must authenticate with a second form of identification, like a PIN, a phone, or biometrics.
