Earlier this week I described how to enable Multi Factor Authentication for Microsoft Intune via Office 365. In a (Twitter) conversation with EMS Technical Evangelist Simon May I learned that there are some differences between the MFA implementation for Microsoft Intune and Office 365.
Let’s have a look at what the differences are.
Before pointing out the differences let’s have a look at the features of Multifactor Authentication in both products in the Microsoft Enterprise Mobility Suite.
In Office 365 you are able Multifactor Authentication per user, this means that after a user is enabled for MFA the user need to configure a contact method and optional application passwords. If MFA is enabled, it is then the primary logon method when logging into services of Office 365 and Microsoft Intune.
If you want to use Microsoft ActiveSync you can create an application password for this which allows you to get around Multi Factor Authentication.
When using Microsoft Intune you are able to enable MFA from the Microsoft Intune console. See in the blog of Peter van der Woude how to enable MFA in Microsoft Intune. In Microsoft Intune MFA is only used while enrolling a Windows 8.1 or Windows Phone 8.1 device, after the device is enrolled all logon events are handled via username and passwords. When currently enrolling an other device no MFA is used.
To summarize see the table below for the currently supported features / ways of using MFA:
|Subject||Via Office 365||Via Microsoft Intune|
|Authentication to Company Portal||MFA||Username and Password|
|MFA enabled||Per user (or batch)||Global|
|MFA Supported||iOS, Windows X, Windows Phone, Android||Windows 8.1, Windows Phone 8.1|
So both implementations are a bit different, if you have both Office 365 and Microsoft Intune you have a choice. If you have only Microsoft Intune and you want a higher level of security, you also might have a look at a blogpost of Nico Sienaert he adds MFA support via Microsoft Azure MFA.