Azure AD MFA - Require once enrolled

Shaun Rockett 1 Reputation point
2020-10-20T16:02:35.707+00:00

Hi Guys,

I am hoping I am missing something obvious in conditional access. But I don't see a way to enforce MFA after enrollment on an app. That is to say, once someone enrolls they get prompted moving forward. If they haven't signed up, they don't.

All I can see is to blanket enforce or blanket enforce based on group membership. Is there any way to achieve this?

If not, I wonder if there is a way to use powershell to get a list of MFA enrolled users that could then be added to an AD group for enforcement with conditional access?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,689 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vasil Michev 96,161 Reputation points MVP
    2020-10-20T16:18:36.947+00:00

    If you are under the scope of a given CA policy, MFA requirement is always enforced. If they havent completed the registration process yet, they will get prompted to do that first. It's a package deal.

    If you want to separate those two, you'll have to use the good old MFA portal configuration (https://account.activedirectory.windowsazure.com/UserManagement/MultifactorVerification.aspx?BrandContextID=O365)

  2. Shaun Rockett 1 Reputation point
    2020-10-29T11:03:21.83+00:00

    I just wanted to provide an update. We ended up using a script to accomplish this.

    1. Users are added to the 14 enrollment group and get prompted for 14 days to enroll.
    2. The script below runs nightly and checks for user enrollment. Users that are enrolled are added to an enforcement group.
    3. We enforce MFA on the enforcement group using conditional access.

    Script: 

    $username = "account@domain.com"
$pwdTxt = Get-Content "C:\Scripts\MFA\password.txt"
$securePwd = $pwdTxt | ConvertTo-SecureString
$credObject = New-Object System.Management.Automation.PSCredential -ArgumentList $username, $securePwd

Connect-MsolService -Credential $credObject

$RequiredGroupID= "14DayEnrollmentGroupID"
$TargetGroupID= "MFAEnforcementGroupID"


$users= Get-MsolGroupMember -GroupObjectId $RequiredGroupID |  Select ObjectID

foreach($user in $users){Get-MsolUser -objectid $user.objectid | select DisplayName,UserPrincipalName,ObjectID,@{N="MFAStatus"; E={ 
if( $_.StrongAuthenticationMethods -ne $NULL) 
{

Add-MsolGroupMember -GroupObjectId $TargetGroupID -GroupMemberType User -GroupMemberObjectId $_.ObjectId
} 
else
 {
 "Not Enrolled"
 }
 }
 }
 }
    0 comments