Device Immediately Removed from Intune
Resolve MFA-related device enrollment failures.
Overview
Symptom
During device migration, devices successfully join Intune but are immediately removed from the tenant. The device appears briefly in Intune admin center then disappears.
What Happens
Root Cause
MFA Required on Provisioning Account
The issue occurs when:
Automatic MDM Enrollment is Enabled
Windows devices automatically enroll in Intune when joining Azure AD
MFA is Required for All Users
Conditional Access policy requires MFA, including the provisioning account
Bulk Token Cannot Satisfy MFA
The provisioning package uses a bulk token that cannot complete MFA challenges
Solution
Exclude Provisioning Account from MFA
Access Conditional Access
Navigate to Microsoft Entra admin center → Protection → Conditional Access
Edit MFA Policy
Select the Conditional Access policy that requires MFA for device enrollment
Add Exclusion
Under Users → Exclude, add the account used to create the provisioning package
Save and Test
Save the policy and retry device enrollment with the provisioning package
Prevention
Best Practices
- • Create a dedicated service account for provisioning packages
- • Exclude this account from all MFA policies before creating the package
- • Test the provisioning package manually before bulk deployment
- • Monitor Entra sign-in logs for failed enrollment attempts