Force Azure MFA registration without enabling MFA on the user


While Azure MFA has many good capabilities there is currently one thing you cannot do, which in may be important for some customers, and in fact I already heard that from them.

The missing part is to ONLY force the user to register for Azure MFA without enable it on the whole account on any login.

Ok, ok, it’s not 100% true, as you can purchase a Azure AD Premium P2 license and use Identity Protection to force registration only, but for sure, no customer want to buy a P2 only for that particular feature as is might be very expensive depending on the amount of users you have.

 

 

But now, or in the near future, to be correctly, there is an new way to do so. And the solution is the new converged experience for Azure MFA and SSPR (Self Service Password Reset) currently in an opt-in public preview.

Here is how I did it:

  • Create a new user and assign him the proper license (EMS E3 in my case)
  • Activate the new converged MFA/SSPR experience like already described in one of my previous blog posts.
  • Activate the enforcement of SSPR registration for that user: Azure Active Directory -> Password Reset -> Registration

  • When you click next you need to configure your Authenticator App:

  • Just setup and verify your app and your are done:

You can re-enter the Edit Security Info page and register additional methods, which seems not possible at the moment.

Just check the data on the user’s object with the MSOnline module cmdlets:

(Set-MsolUser -userPrincipalName your.user@domain.com).StrongAuthenticationMethods

 

That might look like a dirty trick, as in fact you force the user to register for SSPR but since the MFA and SSPR experience are converged, when that feature goes GA there will be no force register for SSPR oder even force register for MFA, since we only will have ONE experience for both.

Additional thoughts:

You can of course try to combine that method above with the blog post I did yesterday about pre-register MFA methods for users.

Doing so will give you a secure way into Azure MFA for your users as they will have MFA re-registered and on the first login are forced to setup their own preferences on how to do MFA, but users will need to do MFA in order to change there MFA setting for the first time.

 

Author: Peter Stapf

Senior Consultant Identity and Access

2 thoughts on “Force Azure MFA registration without enabling MFA on the user”

  1. One issue with app rollout in this case is that it will say use “Other Account” instead of “Work – school account”, and this will work half, but it will not give you push notification for MFA.

    1. Thats correct you cannot pre-register the mobile app, but users can do that on their own.
      This was mainly intended for security because if you dont pre-register an attacker with can use leaked credentials and register their phones for MFA.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.