How to automate new users to be prompted for MFA

MOIZ ARSHAD 20 Reputation points
2024-06-10T15:22:22.8966667+00:00

Hello, I have enabled all users for MFA Per user. I wanted to know if I turned on Conditional access and target to a dynamic group all users group will that prompt any new user to create MFA and does that affect MFA per user if I have that enforced?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,180 questions
0 comments No comments
{count} votes

Accepted answer
  1. Raja Pothuraju 720 Reputation points Microsoft Vendor
    2024-06-12T12:17:58.3833333+00:00

    Hello @MOIZ ARSHAD,

    Thank you for following up on this!

    So if I turn off MFA per user then will users get prompted to create another MFA authentication with Conditional access?

    In this scenario, if users already have MFA set up, they won't need to create another MFA authentication when transitioning from Per-User MFA to a Conditional Access policy. Once the Conditional Access policy is enabled, users who were previously enrolled in MFA will continue to utilize their existing setup seamlessly.

    For new users who haven't set up MFA, they will be directed to the MFA setup page during their initial sign-in. Once they complete the setup, they can log in to applications by responding to push notifications or other MFA methods.

    Furthermore, will this mean when Conditional access is turned on any users who gets targeted in all users group will be required to complete mfa weather they are existing members or new members?

    Yes, once you activate a Conditional Access policy, all users targeted by the policy, whether existing or new, will be required to complete MFA. Existing users will simply need to complete the MFA prompt during login, while new users will need to set up MFA during their initial login and complete MFA for subsequent logins.

    I hope this information is helpful. Please feel free to reach out if you have any further questions.

    Thanks,

    Raja Pothuraju.

    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Andy David - MVP 143.8K Reputation points MVP
    2024-06-10T15:49:08.16+00:00

    No, if they already have MFA setup and they are using it, then they wont get prompted to recreate it because of the CA policy, but you need to disable the per user MFA

    I would follow these guides

    https://blog.admindroid.com/convert-per-user-mfa-to-conditional-access-mfa-a-must-do-azure-ad-recommendation/#:~:text=Navigate%20to%20Microsoft%20Entra%20admin,you%20want%20to%20require%20MFA.

    https://www.alitajran.com/move-from-per-user-mfa-to-conditional-access-mfa/