Information
Sign-in frequency defines the time period before a user is asked to sign in again when attempting to access a resource. The Microsoft Entra ID default configuration for user sign-in frequency is a rolling window of 90 days.
The recommended state is a Sign-in frequency of Every time for Microsoft Intune Enrollment
Note: Microsoft accounts for a five-minute clock skew when 'every time' is selected in a conditional access policy, ensuring that users are not prompted more frequently than once every five minutes.
Intune Enrollment is considered a sensitive action and should be safeguarded. An attack path existsthat allows for a bypass of device compliance Conditional Access rule. This could allow compromised credentials to be used through a newly registered device enrolled in Intune, enabling persistence and privilege escalation.
Setting sign-in frequency to every time limits the timespan an attacker could use fresh credentials to enroll a new device to Intune.
Solution
To remediate using the UI:
- Navigate to the Microsoft Entra admin center https://entra.microsoft.com.
- Click expand ID Protection > Risk-based Conditional Access.
- Create a new policy by selecting New policy.
- Under Users include All users.
- Under Target resources select Resources (formerly cloud apps), choose Select resources and add Microsoft Intune Enrollment to the list.
- Under Grant select Grant access.
- Check either Require multifactor authentication or Require authentication strength.
- Under Session check Sign-in frequency and select Every time.
- Under Enable policy set it to Report-only until the organization is ready to enable it.
- Click Create.
Note: If the Microsoft Intune Enrollment cloud app isn't available then it must be created. To add the app for new tenants, a Microsoft Entra administrator must create a service principal object, with app ID d4ebce55-015a-49b5-a083-c84d1797ae8c, in PowerShell or Microsoft Graph.
Note: Break-glass accounts should be excluded from all Conditional Access policies.
Impact:
New users enrolling into Intune through an automated process may need to sign-in again if the enrollment process goes on for too long.