Identity Protection MFA Registration policy isn't prompting users

Blakey, Gregory 46 Reputation points
2021-02-12T23:03:15.117+00:00

I am an IT administrator in my organization. We will soon be deploying conditional access policies institution wide. In order to prepare for that, we went ahead and purchased azure active directory premium P2 licenses for all of our users. After assigning the users I went ahead and conducted testing for the identity protection MFA registration policy. During testing, I and other IT staff were able to add ourselves to the policy and after we cleared our existing MFA registration methods and signed out we were prompted to register new methods upon logging in but with a 14 day grace period. My manager gave me the OK to roll out that policy to all users, but after doing so, the users report that they have not been prompted with the 14 day grace period asking for more information. I have also noticed a change in my administrative user interface, As the section marked controls in the photo that I sent is now grayed out. Are used to have the ability to check or uncheck that box as recently as yesterday. https://twitter.com/AzureSupport/status/1360346391206367236

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,410 questions
0 comments No comments
{count} votes

Accepted answer
  1. Marilee Turscak-MSFT 36,926 Reputation points Microsoft Employee
    2021-02-17T00:33:12.523+00:00

    Hi @Blakey, Gregory ,

    I think I commented on this issue in the other thread, but if you have a conditional access policy enforcing MFA, then the users will need to pass the MFA request and register (and won't get the 14-day grace period option). If you don't have a policy like that configured, enabling security defaults will trigger a 14 day grace period for registration after a user's first login and security defaults being enabled.

    Conditional Access by itself without Azure Identity Protection does not allow for the 14 day grace period and a conditional access policy requiring MFA will overwrite the grace period exception.


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.