Today we take a look at a new feature in Azure Active Directory that brings more granularity to the MFA requirement for device registration and Azure AD domain join. Up until now this was a tenant-wide setting and could be either set on or off. Because this setting was having some caveats and causing some inconvenience for end-users, this setting was mostly disabled, despite the fact that this is not the recommended option.
It is recommended to enforce MFA before a user can register or join their device to Azure AD. This ensures that compromised accounts cannot be used to add rogue devices to Azure Active Directory. This setting can be found in the Device settings blade in Azure Active Directory.
Microsoft released a new user action in Azure AD Conditional Access that ultimately replaces this previous setting. To see this new action, instead of selecting cloud apps, pick the User actions tab. Here you will find the new setting.
Next, you can configure this user action for specific users, groups, or roles. You are also able to use some conditions like device platform and locations. Sign-in and user risk are also available. To give you some examples of what you can do:
- Require MFA for device registration from untrusted locations only
- Require MFA for device registration when user risk is medium or higher
- Require MFA for specific operating systems like Android or iOS
Currently, this user action only allows you to enable MFA as a control when users register or join devices to Azure AD. Other controls that are dependent on or not applicable to Azure AD device registration are disabled with this user action.
Note: when you are using Conditional Access with this user action, the "original" device setting option should be set to No.
User actions Conditional Access
This is the second user action that admins can use in Conditional Access. I wrote another blog post about the first user action “Register security information”. Learn more.
To learn more about this new feature, check out the articles below. Keep note that this feature is currently in preview.
What’s new? Release notes – Azure Active Directory | Microsoft Docs
Cloud apps or actions in Conditional Access policy – Azure Active Directory | Microsoft Docs
How to manage devices using the Azure portal | Microsoft Docs
Pingback: Require MFA for Azure AD domain join and Device Registration – blog by @janbakker_