MFA 14 days grace periods not available

HK G 516 Reputation points
2021-03-03T16:32:24.67+00:00

I am enabling MFA for my Office 365 tenant. We are the regular Azure AD without the Premium P1 and P2 subscription. After enabling MFA for certain accounts, they are prompted for the MFA registration. I thought there is a 14 days grace period for the registration. The registration page doesn't have any way to bypass the registration. So the users have to register MFA before you can successfully sign. I checked the MFA registration policy and didn't now see anyway to change that behavior. Can someone advice how I can enable the grace period? Thanks

Microsoft Entra
0 comments No comments
{count} votes

Accepted answer
  1. Marilee Turscak-MSFT 34,546 Reputation points Microsoft Employee
    2021-03-03T17:59:30.693+00:00

    You need Identity Protection in order to get the 14-day grace period, and Identity Protection requires an Azure AD Premium P2 license. That's why it's not working.

    https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection

    This is discussed by a content author in this Github issue:

    Security defaults will trigger a 14 day grace period for registration after a user's first login and security defaults being enabled. After 14 days users will be required to register for MFA and will not be able to skip.

    Conditional Access by itself without Azure Identity Protection does not allow for the 14 day grace period. Identity Protection includes the registration policy that allows registration on its own with no apps assigned to the policy. If a Conditional Access policy requires Multi-Factor Authentication then the user must be able to pass that MFA request.


1 additional answer

Sort by: Most helpful
  1. HK G 516 Reputation points
    2021-03-03T23:03:14.82+00:00

    Thank you for the feedback.

    1 person found this answer helpful.