If you want to enroll for Azure MFA the users need to go through these steps. When you enforce or enable MFA the user will be prompted for MFA enrollment. This is best done in a browser.
First the user need to access any of our endpoint e.g. http://portal.office.com
Here are all of the pictures in a Sway:
https://sway.com/2fNqmpbe5O17F5Ev
In this example i enforce MFA for a security group with 3 users when they try to access Yammer only. Everything else is not enforced with MFA.
Prerequisites: Enterprise Mobility + Security (EMS) License assigned to the user.
Go to: http://manage.windowsazure.com
Note on these settings, I have 3 users in the CA Exchange Online Mobile group. Rest of my users are in the NO CA group and that group is set to Except. I do this to ensure that nothing is enforced globally to all users. The 3 users in the first group have not had Azure MFA Enabled or Enforced but is set to Disabled.
This is what the user will see now.
He will see the normal login but be required to enter a second factor. If he navigates to outlook og Onedrive there will be no such requirement.
A colleague of mine, Ilya sendt out a Azure RMS protected document. Here is what it looks like for a user of Azure RMS when sharing documents.
Observe the insight and control you have over the information, and at a moments notice you can withdraw access to the document.
The Yellow lines are the last names which have been removed for privacy.
Got a medium warning in Azure IDP, it says my account have been out traveling.
http://manage.windowsazure.com keeps a track on logins for each user. London is not Oslo…
You share a Azure RMS protected document with one user lg@haukeberg.com. If you now remove that user and add Samsung@haukeberg.com
-> What happens?
NOTHING.
Each share on the file creates a new instance in Azure RMS, hence if you want to remove user lg@haukeberg.com access you need to revoke access to the document completly.
Note: once you revoke access to a document, all the users will loose access.
Hence if the user lg@haukeberg.com quits and you revoke access to a document which also Samsung@haukberg.com has access to then both loose access.
Workaround would be to always share a document with as few as possible each time.
What will the user see if he puts a Azure RMS protected file on SharePoint online?
Setup:
Here is what happens:
This is how you both join Azure AD and enroll for MDM. Your admin need to have configured Automatic MDM enrollment into intune over at http://manage.windowsazure.com for this to work.
If you enable conditional Access in Intune then Your devices will have to be enrolled with Intune in order to read mail. If they are not enrolled or otherwise compliant they will be blocked.
-You can relax these demands as you see fit, but that would kinda defeat its purpose.
This user will not be allowed to Complete the mail setup.
Note that you have to enable ADAL on Exchange Online and use Outlook 2013-2016 With ADAL in order for this to work. Click here to se how to set up Exchange Online with ADAL
How to enroll Your Windows 10 Machine in Intune to get back mail?
Click here for the MDM enrollment instructions without Azure AD join.
or here
If you have Outlook 2016 or Outlook 2013 and want to use Azure MFA but you do not want to use Application Passwords there are one thing you need to do.
ADAL for Exchange Online is Off by default turn it on here: How to turn on ADAL for Exchange Online
Set-ExecutionPolicy RemoteSigned
$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential
$UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session
Get-OrganizationConfig | fl *Oauth*
Set-OrganizationConfig -OAuth2ClientProfileEnabled:$true
Remove-PSSession $Session
Click here to see: This is how Outlook Click to Run behaves with Azure MFA turned on
Håvard Siegel Haukeberg 
You must be logged in to post a comment.