Android Enterprise Fully Managed enrollment with qrcode afw#setup MFA
It is not possible to enroll phones using qrcode or afw#setup method when user is MFA enabled. When the step “sign in to Microsoft” appear the user is MFA challenged but because the phone is in a state not accepting phone calls or SMS from MFA provider the challenge is timing out. Please don’t tell us to turn off or use bypass MFA for users to enroll.
Krzysztof Baran commented
on Azure Active directory level enable Azure access pass.
it will help in Your scenario I'v ealready tested
Jeremy Bradshaw commented
I think this is not an issue anymore. I enrolled probably 50 times in the last month and certainly do have MFA enabled on my account, and I successfully complete the MFA from my primary device where MS Authenticator app resides. Android Enterprise - Fully Managed, Samsung Galaxy A50, enroll via afw#setup then qrcode of my AE-FullyManaged token from the Endpoint Manager portal. Works every time, including MFA prompt, no issue.
I will say, another annoyance during the process is how many times you have to tap buttons that say "Register" when the time comes to perform AAD device registration. There are so many unnecessary prompts and taps during that portion of enrollment that I don't know how the product got out the door like that. But that's common with MS cloud/Intune in general (things just go out the door willy-nillie.
Andreas Melin commented
We really need this to continue. we are now stuck with not being able to roll out devices and hope for that the users will enroll.
For us to force device enrollment and be able to increase the model program we need to be able to enroll through Android enterprise or KNOX profile enforcement.
I can not understand that not more companies have this issue as most microsoft heavy companies would require MFA to access company resources.
We have 3000 cellphones and will increase to 5000 but this is limiting us at the moment.
Antti Lakanen commented
It was possible to bypass the MFA with selected exclusion for the enrollment, but they made some change in December and now that isn't even possible.
Only work around that I found is that you defined cloud apps manually to a CA policy, but that lessens security and adds a manual monitoring for in case of the new cloud apps appearing.
Any update on this issue? Looks like MFA texts or calls won't come through to the physical device being registered, when enrolling an Android Enterprise Fully Managed device.