The dashboard still shows MFA enabled. The box is still checked. And the gap is still there.

When Device Enrollment Becomes the Attack Path

Most Microsoft 365 security discussions focus on identity, email, and Conditional Access. Fewer examine Intune enrollment: who can enroll a device, from what, and under what conditions.

That gap matters.

The incident

An attacker gained access to a standard user account. No admin rights. No elevated privileges.

In many environments, that’s a contained issue: reset the password, revoke sessions, move on.

That didn’t happen here.

Intune allowed open enrollment (a common scenario). A valid user account with a valid credential and Microsoft license could enroll on any device without additional verification.

The attacker spun up a virtual machine and enrolled it using the compromised credentials.

From Intune’s perspective, the device was legitimate. Enrollment succeeded.

Within minutes, the virtual machine received device configuration profiles including the corporate VPN client and its settings. The attacker connected and gained internal network access.

No MFA during enrollment. No device trust requirement. No restriction on unmanaged or virtual devices.

A single compromised password was enough.

Why this works

MFA is not enforced during enrollment by default

Authentication occurs, but Conditional Access policies often don’t apply to enrollment unless explicitly configured.*

Enrollment accepts nearly any device by default

Physical or virtual. Corporate or personal. Known or unknown. Without restrictions, Intune treats them the same.

Together, these create a path that bypasses controls organizations assume are in place.

What this means

Device enrollment is a gateway into your environment.

It doesn’t just register a device, it provisions it:

• Applications

• Certificates

• Configuration & security settings

• VPN access

  
  

If that process trusts only a username and password, then anyone with those credentials can step through that gateway.

Controls that bridge the gap

Require MFA for Intune enrollment

Apply Conditional Access to the Microsoft Intune Enrollment cloud app to require MFA during enrollment. *In real environments, this is often unreliable or operationally disruptive - particularly with Autopilot or technician-led builds—and is not a substitute for enforcing device trust.

Restrict enrollment to Autopilot devices

Allow only devices pre-registered as an Autopilot device. This means that unregistered devices, including virtual machines, cannot enroll.

Block personal device enrollment

Limit enrollment to corporate-owned devices across all platforms. An Autopilot registered device constitutes as a corporate-owned device and prevents unmanaged devices from entering the environment.

Require compliance before access

Use Conditional Access to block access until devices meet security standards. Ensure Intune device compliance policies adequately capture the necessary security controls.

Monitor enrollment activity

Review logs for:

• Unexpected device types

• Virtual machines

• Off-hours enrollment activity

  
  

Without monitoring, this activity is silent.

In conclusion

Intune enrollment is a trusted provisioning system. When configured correctly, it delivers access to the right devices and the right users. When misconfigured, it does the same for threat actors. A verified user is not the same as a trusted device. That’s the gap.