Provision MFA for new users

Shahin Mortazave 486 Reputation points


We have already enabled the MFA for our users and it is working fine. Now I would like to know if it is possible to provision MFA for new users, the new users need to reset their password when they login for the first time to their accounts so I cannot enable the MFA for the new users until they already logged in once.
If we had one or 2 new users a month then I would do it manually after the users logged in but this is not easy task when you must create 40 or more accounts a month. Does anyone have any suggestion on how to enable the MFA automatically once the user logged in?


Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,854 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Marilee Turscak-MSFT 34,786 Reputation points Microsoft Employee

    You can accomplish something similar to this using Azure Active Directory Identity Protection. Go to Configuration > MFA registration > Require Azure MFA Registration. This does require a P2 Premium license.

    Azure Active Directory Identity Protection will prompt your users to register when they sign in interactively and they will have 14 days to complete registration. During this 14-day period, they can bypass registration but at the end of the period they will be required to register before they can complete the sign-in process.

    0 comments No comments

  2. Shahin Mortazave 486 Reputation points

    @MarileeTurscak Thanks for your replay,
    From what I can see this policy already has been setup in Azure for all users, I did create a new user account and assign a Office 365 business premium license that also contain a P2 license to this new user but when login with user he don't see the message that he has 14 days to configure the MFA.
    Did I mis something?



    I think I see the issue here, the policy in not Enforced.
    Question remaining is, when we enforce this policy what would happens to the users that already have configured their MFA and already using it?
    When creating the new users should we assign the P2 license and also enable the MFA at the same time?


    0 comments No comments