question

BlakeyGregory-2504 avatar image
0 Votes"
BlakeyGregory-2504 asked BenjaminBerglund-1776 commented

Identity Protection MFA Registration policy isn't prompting users

I am an IT administrator in my organization. We will soon be deploying conditional access policies institution wide. In order to prepare for that, we went ahead and purchased azure active directory premium P2 licenses for all of our users. After assigning the users I went ahead and conducted testing for the identity protection MFA registration policy. During testing, I and other IT staff were able to add ourselves to the policy and after we cleared our existing MFA registration methods and signed out we were prompted to register new methods upon logging in but with a 14 day grace period. My manager gave me the OK to roll out that policy to all users, but after doing so, the users report that they have not been prompted with the 14 day grace period asking for more information. I have also noticed a change in my administrative user interface, As the section marked controls in the photo that I sent is now grayed out. Are used to have the ability to check or uncheck that box as recently as yesterday. https://twitter.com/AzureSupport/status/1360346391206367236

azure-ad-identity-protection
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

MarileeTurscak-MSFT avatar image
0 Votes"
MarileeTurscak-MSFT answered BenjaminBerglund-1776 commented

Hi @BlakeyGregory-2504,

I think I commented on this issue in the other thread, but if you have a conditional access policy enforcing MFA, then the users will need to pass the MFA request and register (and won't get the 14-day grace period option). If you don't have a policy like that configured, enabling security defaults will trigger a 14 day grace period for registration after a user's first login and security defaults being enabled.

Conditional Access by itself without Azure Identity Protection does not allow for the 14 day grace period and a conditional access policy requiring MFA will overwrite the grace period exception.

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Marilee,

Thanks for the insight into this. We'd previously had conditional access enabled for a pilot group to test the what-if scenarios, but it was disabled prior to issuing the P2 licenses and enabling the MFA registration policy. I've cleared up what the issue was.

Due to the combined registration for SSPR and MFA setting being enabled, many of our users which were already registered for SSPR were not being prompted to register MFA authentication methods, as they had already done so during the SSPR rollout. I've received follow-up for Microsoft and was instructed on how to pull PS reports that displayed which users had/hadn't registered for MFA and which method they had registered with.

Thanks,
Greg

0 Votes 0 ·

@BlakeyGregory-2504,

Thank you for sharing your findings with the community . As this engagement helped you reach a solution , it would be great if you could accept it as answer so as to improve the relevancy of this post. in the interest of the community .

Thank you
shashi

0 Votes 0 ·

Just a question, the users that are not being prompted, are they on the corporate network, which I assume are whitelisted in the MFA conditional access rule?
We have this issue with many customers and it is a big pain. Many companies have users that only perform AAD sign-ins from the office network, and these users will never be forced to register for MFA or a second registration option because of the location exclusion in conditional access. Identity Protection could do it but not all customers want to buy Azure Premium P2 licenses.
We have used conditional access rules with sign-in frequency combined with SSPR to push it thru, but I really hope that Microsoft at some point comes with a better solution for the scenario.

0 Votes 0 ·