Security Default 14-day grace period never ends

MCalicchia 1 Reputation point
2021-12-27T20:37:17.277+00:00

I have Azure AD free and have enabled security defaults to force my users to use MFA. The problem is my users just keep hitting the "skip for now (14 days until this is required)" option and are never forced to register. How can I prevent this from happening and enforce the 14-day limit?

Microsoft Entra
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,446 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. JamesTran-MSFT 36,361 Reputation points Microsoft Employee
    2021-12-27T23:44:29.553+00:00

    @MCalicchia
    Thank you for your post!

    Based off your issue, I found some answers posted by of my colleagues, that should help point you in the right direction when it comes to enforcing users to sign-up for MFA.

    GitHub Issue #39539 - 14-day grace period:

    Security Defaults is something that an organization would do when they know they are going to roll out MFA in the near future. This allows them to get their users registered with minimal discomfort. If you enable a Conditional Access Policy that requires a user to perform MFA, and enable the Azure Identity Protection Sign-in risk policy, users will immediately be required to register and will not be able to bypass the 14-day grace period. This is because the policy now requires users to be registered to use MFA. This unlike the registration policy will block users from continuing until they have completed registration.

    I hope this helps!

    Additional Links:
    14-day period (Unified Multi-Factor Authentication registration) #43034
    Disable MFA 14 day grace period?
    What is Identity Protection?
    Enable sign-in risk policy for MFA
    Configure the conditions for multi-factor authentication
    Building a Conditional Access policy

    If you have any feedback regarding the Security Defaults feature, or would like a new feature to be implemented I'd recommend leveraging our User Voice forum and creating a feature request, so our engineering team can look into this.

    Thank you for your time and patience throughout this issue.

    ----------

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

  2. cosy M 6 Reputation points
    2023-11-01T00:34:39.09+00:00

    If you enable a Conditional Access Policy that requires a user to perform MFA, and enable the Azure Identity Protection Sign-in risk policy, users will immediately be required to register and will not be able to bypass the 14-day grace period. This is because the policy now requires users to be registered to use MFA. This unlike the registration policy will block users from continuing until they have completed registration.

    Is the the reason we are not getting the 14 day grace? i have configured all but i need the grace period for onboarding.

    0 comments