Requirement of having MFA on Azure AD accounts are top priority at the moment and basically it has become a basic requirement.
There are couple of ways to enable MFA on to user accounts by default. This can make sure all users are protected without having t o run periodic reports etc.
Reason for collation of all the options in this article is the options are in few different locations and depending on your licensing tier (free or paid), the options are different
Security Defaults is enabled by default for an new M365 tenant. This will provide 14 days to register for MFA for accounts from it’s first login. Once 14 days are completed, it will force the user to register for MFA in order to continue using the account.
If you are not using a paid Azure AD tier (P1 or P2), this is an excellent way to get your users to register for MFA.
This will enforce MFA registration to the users in below Privileged roles, to all user accounts, disables the Legacy Auth and protect Azure services managed through the Azure Resource Manager API (Azure Portal, Azure PowerShell, Azure CLI)
- Global administrator
- SharePoint administrator
- Exchange administrator
- Conditional Access administrator
- Security administrator
- Helpdesk administrator
- Billing administrator
- User administrator
- Authentication administrator
How to enable Security Defaults in your Tenant if you intending on using this.
https://aad.portal.azure.com/ > Azure Active Directory > Properties >Manage Security Defaults
Toggle the option to Yes
Conditional Access Policies
To use Conditional Access Policies, user should have the Azure AD P1 or P2 license added or an eligible M365 license that includes P1 or P2.
Provided you satisfy the licensing requirement, when you configure Access Control to Grant and Grant access, Require multi-factor authentication” and when you start adding users to the Conditional Access policy, they will be prompted with the below prompt to register for MFA and also it will start prompting the user the MFA challenge.
MFA registration policy in Azure AD Identity Protection
Rather than sending your users the URL https://aka.ms/setupmfa, you can inform them regarding next steps of registering to the service.
Sending the URL to the users to register can have few disadvantages.
There can be loopholes in the implementation if you forget to send the email to the user or if the user decide not to register and chasing them can be harder.
Adding the users to the registration policy will make sure they register for MFA even if they skip it for the 1st 14 days as the policy is a mandatory one.
This has 2 options. Either add “All Users” or add selected users or Groups.
If you have accounts that uses in Line-of-business apps that is not working with MFA, you can use the second option of adding selected users or groups
To create the policy, go to the Azure AD portal > All Services > Azure AD Identity Protection > MFA Registration Policy
Add the selected groups or users and enforce policy
There is nothing much to add, but its clear that Azure AD options will allow you to be flexible in your implementation. What ever your approach, make sure the users are protected with MFA as it itself has become a Security Default to safe guard the accounts.