Multi-Factor Authentication should be mandatory when users are adding devices to the Azure Active Directory. This ensures that no rogue devices can be registered to your directory by compromised user accounts. When "Require Multi-Factor Auth to join devices" is set to "Yes", users who are adding devices from the Internet are forced to use the second method of authentication before their devices can be successfully added to your directory.
This rule resolution is part of the Conformity Security & Compliance tool for Azure.
To determine if Multi-Factor Authentication is required for device enrollment in your AD account, perform the following actions:
Note: Getting "Enable an All Users group in the directory" feature configuration status using Microsoft Graph API or Azure CLI is not currently supported.
Audit
To determine if non-administrator users have the ability to manage Office 365 groups in Azure portals, perform the following actions:
Note: Retrieving "Owners who can assign members as group owners in Azure portals" setting configuration status using Microsoft Graph API or Azure CLI is not currently supported.Remediation / Resolution
By setting "Require Multi-Factor Auth to join devices" to "Yes", all Active Directory users that are adding devices to your directory are challenged to use a second method of authentication. To turn on the necessary feature, perform the following actions:
Note: Enabling "Require Multi-Factor Auth to join devices" feature using Microsoft Graph API or Azure CLI is not currently supported.References
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

You are auditing:
Require MFA to Join Devices
Risk level: Medium