Azure AD Identity Protection: MFA Registration Policy

This is my first follow up blogpost on Azure AD Identity protection. In this post I will show how you easily can setup a policy to required your users to register their Multi-Factor Authentication details. 

To do this you will first need to add Azure AD Identity protection to your tenant. That is described in my previous blogpost on this topic here. 

When you go into the AAD ID Protection portal you click on settings and then you go to Multi-Factor Authentication -> Registration

snip_20160309162714

Here you will see your registration status and are able to set a policy that requires users to register their credentials on login. The nice part about using this policy instead of the old setting in the old Azure AD Portal (manage.windowsazure.com) is that you can now define a group of users and not necessary all users at once.

AADIDP002

As you can see I have 6 users in my test tenant not registered for MFA and I have enabled a policy to require the users to register for MFA at logon. I have for demo purposes added a single user and a group. The choice is yours. I have also allowed the users to skip the registration for 3 days before it is enforced at logon. And of course you will need to enable to policy and save.

In the old portal the only option is to enable this for all users and it also states that this is not currently supported for Office 365 sign ins.

I have tested this by logging in to portal.office.com and the user experience is as follows.

During Grace period of 3 days the user login will be like this:

AADIDP003

If the users chooses to skip this setup they will be logged in as normal until the grace period is done. After the grace period the user will be forced to enter the information to be able to login.

AADIDP004

Now the user must click on the “Set it up now” button to be able to log in. The user is than automaticly redirected to the page for entering their details.

AADIDP005

And when the details are verfied the login proceeds as normal.

THIS DOES NOT CHANGE THE LOGIN TO MFA REQUIRED IN THE FUTURE

I have also tested this in Office (Word 2016) trying to add my account to Office and this also applies to Office as far as I can see in my test.

AADIDP006

This picture is from trying to log in to word with my test user and I can not get in without registering my MFA information.

Small Update:

It doesn’t look like this will be enforced at logon on a Windows 10 Azure AD Domain joined device.

What happens is that when a user is logged on to a Windows 10 machine and you have a Passport for work policy in ex. Intune enabled the user is required to create a Work Pin. This process will indeed enforce the MFA setup. And the same applies if you enroll av device in Intune or do an AAD Join and have MFA required for registering devices. But, if you by somehow make this process fail you will be able to log on to the WIndows 10 AAD Joined machine without setting up your MFA details.

But the user will not be able to access any resources with his credentials until he has the MFA detail provided. As before trying to access 0365 the user needs to provide his MFA details.

Look for more posts on this subject – but I will probably need to wait for EU support before I can dig into all the nice things in AAD Identity Protection.

0 thoughts on “Azure AD Identity Protection: MFA Registration Policy

Leave a Reply

Your email address will not be published. Required fields are marked *