Enforce Password change and MFA for users onboarded via LCW

Question

How can i enforce users to change the password and setup the MFA once they onboarded through Life Cycle Workflow, I tried TAP but that skips password change and MFA setup enforcement

Answer 1

Hello,

Welcome to Microsoft Q&A,

To enforce password change and MFA setup immediately after onboarding users via Microsoft Entra ID Life Cycle Workflows, you’ll need to leverage a combination of conditional access policies, authentication methods policies, and user settings.

Use a temporary password instead of TAP, and mark the account as "must change password at next sign-in".

PowerShell example:

Set-AzureADUserPassword -ObjectId <userId> -Password "TempPassword123" -ForceChangePasswordNextLogin $true

✅ TAP can still be used, but with short lifetime (5–15 minutes) and single-use to force transition into secure onboarding steps.

Create a Conditional Access Policy to Require MFA Registration

Microsoft Entra > Conditional Access > New Policy

• Assignments: Include: Users in your lifecycle workflow onboarding group Cloud apps or actions:

  Select “All cloud apps”
  
  Conditions: Optional
  
  Access Controls:
  
     Grant access only if:
  
           Require multi-factor authentication
  
                 Require authentication strength: “Multi-factor authentication”
  

• Enable policy: On

https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-all-users-mfa-strength

Use Identity Protection Policy to Require MFA Setup

Go to:

• Microsoft Entra > Protection > Identity Protection > MFA registration policy
• Target the onboarding group or All users
• Require registration during sign-in

Please Upvote and accept the answer if it helps!!