iCompaas Support

Description:

Requiring multifactor authentication (MFA) to register or join devices with Microsoft Entra ensures that only verified and trusted users can add new devices to the organization’s directory. This security control helps prevent unauthorized device enrollment by adding an additional layer of identity verification beyond the user’s password. By enforcing MFA during device registration, organizations reduce the risk of compromised accounts being used to introduce unauthorized or potentially harmful devices into the environment.

Rationale:

Requiring MFA prevents unauthorized users from registering or joining devices by ensuring only verified identities can complete the process. This added security layer reduces the risk of compromised accounts introducing untrusted devices and strengthens overall access control within the organization.

Impact:

Security is increased because only users who complete MFA can add devices. It prevents unknown or unverified devices from joining the organization.

Default Value:

By default, this setting is not always turned on. Administrators must manually set it to Yes if they want to require MFA for device registration or joining.

Pre-requisites:

• You must sign in with a Global Administrator or Privileged Role Administrator account.

Test Plan:

1. Go to the Azure portal at https://portal.azure.com.

2. In the portal, search for  Microsoft Entra ID.

3. In the left-side menu, under Manage, select Devices.

4.  Under Manage, Select Device settings.

5. Locate the setting “Require Multifactor Authentication to register or join devices with Microsoft Entra.”

6. Verify that the setting is set to Yes.

7. If it is No, follow the implementation plan.

Implementation Plan:

1. Go to the Azure portal at https://portal.azure.com.

2. In the portal, search for  Microsoft Entra ID.

3. In the left-side menu, under Manage, select Devices.

4.  Under Manage, Select Device settings.

5. Find the option "Require Multifactor Authentication to register or join devices with Microsoft Entra."

6. Set this option to Yes.

6. Click Save to apply the change.
   
   

Backout Plan:

1. Go to the Azure portal at https://portal.azure.com.

2. In the portal, search for  Microsoft Entra ID.

3. In the left-side menu, under Manage, select Devices.

4.  Under Manage, Select Device settings.

5. Locate the setting “Require Multifactor Authentication to register or join devices with Microsoft Entra.”

6. Change the option back to No.

7. Click Save to apply the change.

Reference:

• https://learn.microsoft.com/en-us/entra/identity/devices/device-management-azure-portal