One of the security challenges when using Azure MFA in combination with Conditional Access is the fact that the MFA registration will occur when the user accesses the particular application that is protected the first time.
But sometime that might not be the case for days or even month, for example if MFA is only required by conditional access if the users is outside the corporate network or the application is only used very rarely.
In the meantime when the credentials of that users are leaked it is possible for an attacker to do the MFA setup instead of the intended user.
However some companies prefer to pre-enroll or pre-register their users when their account is created in Azure AD. But what not should happen is that we enable Azure MFA for the account of the user we just want to pre-populate one or two authentication methods (mobile phone in fact).
But how can we do that:
- Make sure you synchronize the mobile attribute from on-Premises to Azure AD with Azure AD Connect (the default rules will do that)
- Populate the StrongAuthenticationMethods with the Set-MsolUser cmdlet.
- But do NOT set the StrongAuthenticationRequirements (those will enable MFA on the account, which is not what we want)
Here is the script to pre-populate the authentication methods (SMS OTP and Mobile Voice Call):
Users can of course change the MFA settings on their own, add the authenticator app as the primary method for example, but the advantage of this is that in order to change MFA settings the users will be forced to do MFA first.
As long as the user has not setup their own mobile phone number for MFA which is stored in the StrongAuthenticationUserDetails (Phone attribute) the synchronized mobile is used.