MT.1061 - Device registration MFA control conflicts with Conditional Access policies
Overviewā
When MFA is required during device registration in Conditional Access policies, it must be disabled in the Entra ID Device settings.
When both are enabled, the conditional access policy with the "Register device" user action will not work as expected.
Remediation action:ā
When a Conditional Access policy is configured with the Register or join devices user action you must disable tenant-wide multifactor requirement for device registration. Otherwise, Conditional Access policies with this user action are not properly enforced.
- Open Entra - Device Settings.
- Set Require Multifactor Authentication to register or join devices with Microsoft Entra to No.
Related linksā
- Require multifactor authentication for device registration
- Conflicting conditional access policies and Entra Device Settings
Test Metadataā
| Field | Value |
|---|---|
| Test ID | MT.1061 |
| Severity | Medium |
| Suite | Maester |
| Category | CA |
| PowerShell test | Test-MtDeviceRegistrationMfaConflict |
| Tags | CA, Maester, MT.1061 |
Sourceā
- Pester test:
tests/Maester/Entra/Test-ConditionalAccessBaseline.Tests.ps1 - PowerShell source:
powershell/public/maester/entra/Test-MtDeviceRegistrationMfaConflict.ps1