3 Ways to Enforce Azure AD MFA Registration in Azure AD/ M365 Tenant

Requirement of having MFA on Azure AD accounts are top priority at the moment and basically it has become a basic requirement.

There are couple of ways to enable MFA on to user accounts by default. This can make sure all users are protected without having t o run periodic reports etc.

Reason for collation of all the options in this article is the options are in few different locations and depending on your licensing tier (free or paid), the options are different

Security Defaults

Security Defaults is enabled by default for an new M365 tenant. This will provide 14 days to register for MFA for accounts from it’s first login. Once 14 days are completed, it will force the user to register for MFA in order to continue using the account.

If you are not using a paid Azure AD tier (P1 or P2), this is an excellent way to get your users to register for MFA.

This will enforce MFA registration to the users in below Privileged roles, to all user accounts, disables the Legacy Auth and protect Azure services managed through the Azure Resource Manager API (Azure Portal, Azure PowerShell, Azure CLI)

Privileged Accounts

  • Global administrator
  • SharePoint administrator
  • Exchange administrator
  • Conditional Access administrator
  • Security administrator
  • Helpdesk administrator
  • Billing administrator
  • User administrator
  • Authentication administrator

How to enable Security Defaults in your Tenant if you intending on using this.

https://aad.portal.azure.com/ > Azure Active Directory > Properties >Manage Security Defaults

Toggle the option to Yes

User experience


Conditional Access Policies

To use Conditional Access Policies, user should have the Azure AD P1 or P2 license added or an eligible M365 license that includes P1 or P2.

Provided you satisfy the licensing requirement, when you configure Access Control to Grant and Grant accessRequire multi-factor authentication” and when you start adding users to the Conditional Access policy, they will be prompted with the below prompt to register for MFA and also it will start prompting the user the MFA challenge.

How to setup a conditional access policy for MFA

User experience


MFA registration policy in Azure AD Identity Protection

Rather than sending your users the URL https://aka.ms/setupmfa, you can inform them regarding next steps of registering to the service.

Sending the URL to the users to register can have few disadvantages.

There can be loopholes in the implementation if you forget to send the email to the user or if the user decide not to register and chasing them can be harder.

Adding the users to the registration policy will make sure they register for MFA even if they skip it for the 1st 14 days as the policy is a mandatory one.

This has 2 options. Either add “All Users” or add selected users or Groups.

If you have accounts that uses in Line-of-business apps that is not working with MFA, you can use the second option of adding selected users or groups

To create the policy, go to the Azure AD portal > All Services > Azure AD Identity Protection > MFA Registration Policy

Add the selected groups or users and enforce policy

User experience


Final Thoughts

There is nothing much to add, but its clear that Azure AD options will allow you to be flexible in your implementation. What ever your approach, make sure the users are protected with MFA as it itself has become a Security Default to safe guard the accounts.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.