The Intune enrollment process can be secured via Conditional Access & Azure MFA and Microsoft have an article available HERE that describes how to secure the Intune Enrollment APP via Azure MFA.
But first we need to secure the Azure MFA registration process, If an attacker has obtained a user's credentials and the user that has been compromised has not registered for MFA, the attacker could use his\her phone to register for MFA.
So there are 3 methods to secure the MFA registration process.
- Multi-factor authentication registration policy
- User risk Sign In Policy
- Populating the phone numbers as described in this ARTICLE
If using method 3 and using a text message or call authentication process, The organisation admins can populate the mobile phone number per user and manage the MFA registration process.
Some helpful commands
##Using MSONLINE module, Query what the existing MFA auth method is
get-msoluser -UserPrincipalName sean@contoso.com | Select-Object -ExpandProperty StrongAuthenticationMethods
get-msoluser -UserPrincipalName sean@contoso.com | Select-Object -ExpandProperty StrongAuthenticationMethods
##Using MSONLINE module to cancel existing MFA Auth methods
set-msoluser -UserPrincipalName sean@contoso.com -StrongAuthenticationMethods $null
##Export all MFA enabled users to a csv
Get-MsolUser -All | where {$_.StrongAuthenticationMethods -ne $null} | Select-Object -Property UserPrincipalName | export-csv "CSV PATH"
Get-MsolUser -All | where {$_.StrongAuthenticationMethods -ne $null} | Select-Object -Property UserPrincipalName | export-csv "CSV PATH"
Once we have followed the guidelines in the Microsoft article to secure the Intune enrollment process with MFA , We can proceed to create our policy for Android & IOS
In the conditional access policy for Android & IOS devices, The final actions are listed below, Devices must be compliant but the compliance enrollment process is secured with MFA
