Identity Protection MFA Registration policy isn't prompting users

Blakey, Gregory 46 Reputation points

I am an IT administrator in my organization. We will soon be deploying conditional access policies institution wide. In order to prepare for that, we went ahead and purchased azure active directory premium P2 licenses for all of our users. After assigning the users I went ahead and conducted testing for the identity protection MFA registration policy. During testing, I and other IT staff were able to add ourselves to the policy and after we cleared our existing MFA registration methods and signed out we were prompted to register new methods upon logging in but with a 14 day grace period. My manager gave me the OK to roll out that policy to all users, but after doing so, the users report that they have not been prompted with the 14 day grace period asking for more information. I have also noticed a change in my administrative user interface, As the section marked controls in the photo that I sent is now grayed out. Are used to have the ability to check or uncheck that box as recently as yesterday.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
17,464 questions
0 comments No comments
{count} votes

Accepted answer
  1. Marilee Turscak-MSFT 29,291 Reputation points Microsoft Employee

    Hi @Blakey, Gregory ,

    I think I commented on this issue in the other thread, but if you have a conditional access policy enforcing MFA, then the users will need to pass the MFA request and register (and won't get the 14-day grace period option). If you don't have a policy like that configured, enabling security defaults will trigger a 14 day grace period for registration after a user's first login and security defaults being enabled.

    Conditional Access by itself without Azure Identity Protection does not allow for the 14 day grace period and a conditional access policy requiring MFA will overwrite the grace period exception.

0 additional answers

Sort by: Most helpful