How To: Configure the Azure AD Multi-Factor Authentication registration policy

Azure AD Identity Protection helps you manage the roll-out of Azure AD Multi-Factor Authentication (MFA) registration by configuring a Conditional Access policy to require MFA registration no matter what modern authentication app you are signing in to.

What is the Azure AD Multi-Factor Authentication registration policy?

Azure AD Multi-Factor Authentication provides a means to verify who you are using more than just a username and password. It provides a second layer of security to user sign-ins. In order for users to be able to respond to MFA prompts, they must first register for Azure AD Multi-Factor Authentication.

We recommend that you require Azure AD Multi-Factor Authentication for user sign-ins because it:

  • Delivers strong authentication through a range of verification options.
  • Plays a key role in preparing your organization to self-remediate from risk detections in Identity Protection.

For more information on Azure AD Multi-Factor Authentication, see What is Azure AD Multi-Factor Authentication?

Policy configuration

  1. Navigate to the Azure portal.
  2. Browse to Azure Active Directory > Security > Identity Protection > MFA registration policy.
    1. Under Assignments
      1. Users - Choose All users or Select individuals and groups if limiting your rollout.
        1. Optionally you can choose to exclude users from the policy.
    2. Enforce Policy - On
    3. Save

User experience

Azure Active Directory Identity Protection will prompt your users to register the next time they sign in interactively and they will have 14 days to complete registration. During this 14-day period, they can bypass registration if MFA is not required as a condition, but at the end of the period they will be required to register before they can complete the sign-in process.

For an overview of the related user experience, see:

Next steps