While Azure MFA has many good capabilities there is currently one thing you cannot do, which in may be important for some customers, and in fact I already heard that from them.
The missing part is to ONLY force the user to register for Azure MFA without enable it on the whole account on any login.
Ok, ok, it’s not 100% true, as you can purchase a Azure AD Premium P2 license and use Identity Protection to force registration only, but for sure, no customer want to buy a P2 only for that particular feature as is might be very expensive depending on the amount of users you have.
But now, or in the near future, to be correctly, there is an new way to do so. And the solution is the new converged experience for Azure MFA and SSPR (Self Service Password Reset) currently in an opt-in public preview.
Here is how I did it:
- Create a new user and assign him the proper license (EMS E3 in my case)
- Activate the new converged MFA/SSPR experience like already described in one of my previous blog posts.
- Activate the enforcement of SSPR registration for that user: Azure Active Directory -> Password Reset -> Registration
- Login with the user to an Azure or O365 service, like https://portal.office.com or https://myapps.microsoft.com
- You will see the following additional prompt after the login:
- When you click next you need to configure your Authenticator App:
- Just setup and verify your app and your are done:
You can re-enter the Edit Security Info page and register additional methods, which seems not possible at the moment.
Just check the data on the user’s object with the MSOnline module cmdlets:
(Set-MsolUser -userPrincipalName firstname.lastname@example.org).StrongAuthenticationMethods
That might look like a dirty trick, as in fact you force the user to register for SSPR but since the MFA and SSPR experience are converged, when that feature goes GA there will be no force register for SSPR oder even force register for MFA, since we only will have ONE experience for both.
You can of course try to combine that method above with the blog post I did yesterday about pre-register MFA methods for users.
Doing so will give you a secure way into Azure MFA for your users as they will have MFA re-registered and on the first login are forced to setup their own preferences on how to do MFA, but users will need to do MFA in order to change there MFA setting for the first time.