Identity Protection MFA Registration policy isn't prompting users

Question

I am an IT administrator in my organization. We will soon be deploying conditional access policies institution wide. In order to prepare for that, we went ahead and purchased azure active directory premium P2 licenses for all of our users. After assigning the users I went ahead and conducted testing for the identity protection MFA registration policy. During testing, I and other IT staff were able to add ourselves to the policy and after we cleared our existing MFA registration methods and signed out we were prompted to register new methods upon logging in but with a 14 day grace period. My manager gave me the OK to roll out that policy to all users, but after doing so, the users report that they have not been prompted with the 14 day grace period asking for more information. I have also noticed a change in my administrative user interface, As the section marked controls in the photo that I sent is now grayed out. Are used to have the ability to check or uncheck that box as recently as yesterday. https://twitter.com/AzureSupport/status/1360346391206367236

Answer 1

Hi @Blakey, Gregory ,

I think I commented on this issue in the other thread, but if you have a conditional access policy enforcing MFA, then the users will need to pass the MFA request and register (and won't get the 14-day grace period option). If you don't have a policy like that configured, enabling security defaults will trigger a 14 day grace period for registration after a user's first login and security defaults being enabled.

Conditional Access by itself without Azure Identity Protection does not allow for the 14 day grace period and a conditional access policy requiring MFA will overwrite the grace period exception.