Configuring MFA registration policies

We have already discussed MFA in Chapter 2, Authentication and Security, and Chapter 3, Implementing Conditional Access Policies, and illustrated how MFA can be enabled and enforced for your Microsoft 365 users via both the Office 365 Admin Center and by using Conditional Access policies. It is also possible to configure an Azure MFA policy for your cloud-based users from within the Azure AD Identity Protection pane.

In the context of Identity Protection, it is always preferable to require Azure MFA for your user sign-ins as it does the following:

• Provides strong authentication with a choice of verification methods
• Provides your users with the option to effectively take responsibility for their own risk detections and use self-remediation

In order to configure the MFA registration policy within Azure Identity Protection, we need to complete the following steps:

1. From the Azure AD Identity Protection pane, navigate to the Protect section and select MFA registration policy:
   

   Figure 5.10 – MFA registration policy

2. Next, under Assignments, select Users:
   

   Figure 5.11 – Assigning a policy to users

3. Here, you can decide whether you want to apply the requirement for MFA to all your users or whether to select specific users or groups. You also have the option to explicitly exclude users from the policy. When you have made your selections, click Done:
   

   Figure 5.12 – Including or excluding users

4. Next, under Controls and Access, ensure that Require Azure MFA registration is selected:
   

   Figure 5.13 – Access controls

5. Click Select, and then ensure that Enforce Policy is set to On:
   

   Figure 5.14 – Enforcing the policy

6. Click Save.

The policy will be saved, and the affected users will be prompted to register for MFA the next time they sign in with their Microsoft 365 credentials. They will be able to bypass MFA registration and continue to log in for a period of 14 days. They will then be forced to complete the registration process, or they will be unable to gain access.

Important note

Once again, it is important to ensure that your break glass account is explicitly excluded from the requirement to register for Azure MFA.

So, with this, we have shown you how an MFA registration policy can be configured and deployed to your Microsoft 365 users with Azure AD Identity Protection. This will force your users to register for MFA. If you have Azure AD Premium P2 licenses available to you in your tenancy, it is highly recommended to deploy the MFA registration policy.