How To: Configure the Microsoft Entra multifactor authentication registration policy

Microsoft Entra ID Protection helps you manage the roll-out of Microsoft Entra multifactor authentication registration by configuring a Conditional Access policy to require MFA registration no matter what modern authentication app you're signing in to.

What is the Microsoft Entra multifactor authentication registration policy?

Microsoft Entra multifactor authentication provides a means to verify who you are using more than just a username and password. It provides a second layer of security to user sign-ins. In order for users to be able to respond to MFA prompts, they must first register for Microsoft Entra multifactor authentication.

We recommend that you require Microsoft Entra multifactor authentication for user sign-ins because it:

  • Delivers strong authentication through a range of verification options.
  • Plays a key role in preparing your organization to self-remediate from risk detections in Identity Protection.

For more information on Microsoft Entra multifactor authentication, see What is Microsoft Entra multifactor authentication?

Policy configuration

  1. Sign in to the Microsoft Entra admin center as at least a Security Administrator
  2. Browse to Protection > Identity Protection > MFA registration policy.
    1. Under Assignments > Users
      1. Under Include, select All users or Select individuals and groups if limiting your rollout.
      2. Under Exclude, select Users and groups and choose your organization's emergency access or break-glass accounts.
  3. Enforce Policy - On
  4. Save

User experience

Microsoft Entra ID Protection will prompt your users to register the next time they sign in interactively and they'll have 14 days to complete registration. During this 14-day period, they can bypass registration if MFA isn't required as a condition, but at the end of the period they'll be required to register before they can complete the sign-in process.

For an overview of the related user experience, see:

Next steps