Provision MFA for new users

Shahin Mortazave 456 Reputation points
2021-04-29T08:22:16.197+00:00

Hi,

We have already enabled the MFA for our users and it is working fine. Now I would like to know if it is possible to provision MFA for new users, the new users need to reset their password when they login for the first time to their accounts so I cannot enable the MFA for the new users until they already logged in once.
If we had one or 2 new users a month then I would do it manually after the users logged in but this is not easy task when you must create 40 or more accounts a month. Does anyone have any suggestion on how to enable the MFA automatically once the user logged in?

Thanks

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
12,773 questions
No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Marilee Turscak-MSFT 20,676 Reputation points Microsoft Employee
    2021-05-03T23:17:55.21+00:00

    You can accomplish something similar to this using Azure Active Directory Identity Protection. Go to Configuration > MFA registration > Require Azure MFA Registration. This does require a P2 Premium license.

    Azure Active Directory Identity Protection will prompt your users to register when they sign in interactively and they will have 14 days to complete registration. During this 14-day period, they can bypass registration but at the end of the period they will be required to register before they can complete the sign-in process.

    No comments

  2. Shahin Mortazave 456 Reputation points
    2021-05-06T08:55:12.987+00:00

    @MarileeTurscak Thanks for your replay,
    From what I can see this policy already has been setup in Azure for all users, I did create a new user account and assign a Office 365 business premium license that also contain a P2 license to this new user but when login with user he don't see the message that he has 14 days to configure the MFA.
    Did I mis something?

    94421-image.png

    UPDATE,

    I think I see the issue here, the policy in not Enforced.
    Question remaining is, when we enforce this policy what would happens to the users that already have configured their MFA and already using it?
    When creating the new users should we assign the P2 license and also enable the MFA at the same time?

    Thanks

    No comments