How To: Configure the multifactor authentication registration policy
Article
Microsoft helps you manage the deployment of multifactor authentication (MFA) by configuring the Microsoft Entra ID Protection policy to require MFA registration no matter what modern authentication app you're signing in to. Multifactor authentication provides a means to verify who you are using more than just a username and password. It provides a second layer of security to user sign-ins. In order for users to be able to respond to MFA prompts, they must first register authentication methods, like the Microsoft Authenticator app.
We recommend that you require multifactor authentication for all user sign-ins. Based on our studies, your account is more than 99% less likely to be compromised if you use MFA. Even if you don't require MFA all the time this policy ensures your users are ready when the time comes to do MFA.
Under Include, select All users or Select individuals and groups if limiting your rollout.
Under Exclude, select Users and groups and choose your organization's emergency access or break-glass accounts.
Set Policy enforcement to Enabled.
Select Save.
User experience
Microsoft Entra ID Protection will prompt your users to register the next time they sign in interactively and they'll have 14 days to complete registration. During this 14-day period, they can bypass registration if MFA isn't required as a condition, but at the end of the period they're required to register before they can complete the sign-in process.
For an overview of the related user experience, see:
Learn how admins can use Microsoft Entra Conditional Access to distinguish which authentication methods can be used based on relevant security factors.