Posts

Showing posts from January, 2025

Authentication flows Protection & Device Registration Service for Intune Enrolment

Image
When I blogged last week about whether it is possible to enrol a device in Intune without ever having to authenticate on the device itself , I wanted to follow it up with additional security measures that organizations may need to consider if they use device code flow for device registration purposes. While Microsoft Entra ID supports a wide range of authentication and authorization flows to provide a seamless experience across all application and device types, device code flow can be misused and exploited to carry out phishing attacks and therefore is considered high-risk. In general, Microsoft recommends blocking it altogether, but that may not always be an option as indicated in the my earlier post . In this post I will cover how to block authentication flow and how device registration can be allowed in certain scenarios. Authentication flows in a nutshell To provide more control over your security posture, Microsoft has provided the ability to control certain authentication flows t...

Is it possible to enrol a device in Intune without ever having to authenticate on the device itself?

Image
When it comes to enrolling devices in Intune, there are multiple ways to do so. In a user based enrolment, one will require to provide Entra ID credentials at some stage or the other. However, things can become challenging when there are other authentication requirements like certificates in addition to providing standard user credentials. This is normally a case in organization that are federated with Active Directory Federation Services (ADFS) or with a non Microsoft Identity provider. A configuration requires a trusted certificate issued to a user or a device before the authentication can be allowed, but one cannot really deliver the certificate if the device is being born in the cloud and hasn't yet enrolled in Intune yet. It's a chicken and egg kind of situation. So how does one get around this without compromising on the security? The answer lies in the sign-in options at the time of the enrolment. There are some options available with the Sign-in options, but it is '...