This step by step tutorial will take you through how to configure Conditional Access and MFA (Multi Factor Authentication) for Intune / Endpoint Manager.
This is Part 3 of a 13 part series.
=======================================================================
Welcome to part 3 of my thirteen part series of tutorials taking you step by step on how to configure Microsoft Endpoint Manager / Intune, from initial DNS config up to Autopilot and application deployment. This series gives you all the knowledge you need for you to successfully deploy a basic Intune / Endpoint Manager environment.
Initial Tenant and Intune Configuration
1. Configure DNS and CNAME - Link
2. Company Branding - Self Service Password Reset (SSPR) - Enable Enterprise State Roaming - Link
3. Enable Conditional Access and MFA (Multi factor authentication) - Link - This Article
4. Configure Conditional Access Terms of Use - Link
5. Company Terms and Conditions - Link
6. User and Device Groups, and Device Categories - Link
7. Set-up Autopilot profile and configure MAM and MDM scope for automatic enrollment - Link
7a. More information regarding options for configuring the MDM and MAM user scopes - Link
8. Enrollment Status Page - Link
9. Enrollment Restrictions - Link
10. Deploying Microsoft 365 apps (Office apps) - Link
11. Enable Microsoft Store for Business and publish the Company Portal app - Link
12. Assign Company Portal app - Link
13. Test autopilot via register online - Link
If you don't have a test environment for Intune / Endpoint Manager, just follow this guide on
How to get a Free Developer Tenant with 25 x E5 licenses and a free Top Level domain name - Link
=====================================================================
3. Enable Conditional Access and MFA (Multi factor authentication)
Resources -
Create a Conditional Access policy - Link
Enable Named Locations - Link
=======================================================================
MFA - Multi Factor Authentication options - Link
Basic MFA if no Azure AD Premium licensing
Admin Center - Select the user - Manage multifactor authentication - Select user - Enable - Enable
=====================================================================
Disable Security Defaults
Before enabling Conditional Access, you must disable Security Defaults
- Sign in to the Azure portal as a security administrator, Conditional Access administrator, or global administrator.
- Browse to Azure Active Directory > Properties.
Properties - Manage security defaults
Under Enable Security defaults - Select - No
Select why you are disabling.
Save
====================================================================
Create an Azure AD security group to target users for MFA
Endpoint Manager - Groups - New Group
Group type - Security
Group name - AAD_Sec_User_MFA
Group description - Users that have MFA enforced
Under Members - Select - No members selected -
Add the members to the group -
Select
Create -
The group will now be created
===================================================================
Enable Conditional Access and MFA (Multi factor Authentication)
Important - Conditional Access can block YOUR account from accessing Azure if not configured correctly. Make sure you understand FULLY what the implications are when creating a Conditional Access Policy.
In this instance, this Conditional Access Policy is only targeting a specific group, and my global admin account is not a member of this group, but is already configured for MFA.
Conditional Access - Link
Azure Portal - Azure AD - Security -
Conditional Access - 
New Policy - 
Name - MFA for users
Assignments - Users and Groups - Select - 0 users and groups selected
As I am targeting the group we created - Select -
Select users and groups - Users and groups
The search box will appear -
Search for the group we just created - AAD_Sec_User_MFA
Select the group
Click - Select
The group will now appear in the Include section
Under the section - Cloud apps or action - Select - No cloud apps or actions selected
Select - Cloud Apps
Under Include - Click - Select Apps - 
The Select option will appear
Select - Office 365
Click - Select
Under Conditions - Click - 0 conditions selected
Options will appear on the right
In this instance I am not selecting any other conditions
Under access controls - Under Grant - Click - 0 controls selected
The Grant section will appear
Select the following options as required.
In this tutorial, I am only selecting Require multi-factor authentication
Grant access -
Require multi-factor authentication
Select
Enable policy - On
Create
Confirm the State is on -
=====================================================================
Restricting MFA verification options - Link
To restrict the uses MFA verification options (force the Authenticator app only for example)
Azure AD portal - https://aad.portal.azure.com/
Users
On the top menu - select - Multi-Factor Authentication
The MFA configuration page will open.
Select - Service settings - 
Select the options as required -
- - To force only the Authenticator app - uncheck the box - Text message to phone.
Save
=====================================================================
Conditional Access - Adding a trusted location -
This option will allow your end users to NOT get prompted for MFA when logging in from a trusted IP like their home office.
Azure AD portal - https://aad.portal.azure.com/
- Security - 
Named locations
On the top menu - Configure MFA trusted IPs -
Add your Trusted IPs -
For a single IP address - the format is x.x.x.x/32
Save
===============================================================
Check out all my tutorials - Link
Highlights include -
13 part series on how to perform the initial Tenant and Intune Configuration - Link
1. Configure DNS and CNAME
2. Company Branding - Self Service Password Reset (SSPR) - Enable Enterprise State Roaming
3. Enable Conditional Access and MFA (Multi factor authentication)
4. Configure Conditional Access Terms of Use
5. Company Terms and Conditions
6. User and Device Groups, and Device Categories
7. Set-up Autopilot profile and configure MAM and MDM scope for automatic enrollment
7a. More information regarding options for configuring the MDM and MAM user scopes
8. Enrollment Status Page
9. Enrollment Restrictions
10. Deploying Microsoft 365 apps (Office apps)
11. Enable Microsoft Store for Business and publish the Company Portal app
12. Assign Company Portal app
13. Test autopilot via register online
===============================================================
About the author -
Terry Munro is an IT specialist based in Brisbane, Australia.
He draws upon over 20 years experience designing and delivering technical solutions to a variety of enterprise clients in the private, Government and Education sectors, to revolutionise client businesses through collaboration and getting the most value from a variety of cloud solutions.
He is passionate about learning new technologies and is a firm believer in sharing knowledge to provide a better experience for all.
You can connect with Terry
LinkedIn - https://www.linkedin.com/in/terry-munro/
Facebook - @IntuneAdmin - https://www.facebook.com/IntuneAdmin/
Facebook Community Group - https://www.facebook.com/groups/intuneadmin/
GitHub Repository - https://github.com/TeamTerry
No comments:
Post a Comment