Forum Discussion
Report on users with MFA Enabled
- Feb 28, 2018
No, your users are not enabling MFA for themselves by using those URLs, That's a fact. You may have some other configuration going on.
It is not approved Microsoft process to pre publish the 2fa web page for the user to fill out. You will notice the apppassword tab is missing as when till enabled. I have found if users prefill out this form there is a problem in the 2factor process. I need to reset all users that pre filled out form. The hole process of enable and auto enforce makes the 2 factor process very difficult to role out. The app password on the phone is the hardest for people to understand as well. You have no idea how long it will take to use the new app password on the phone. Also the tab for app passwords does not even look like a tab and is often over looked by end users. The visibility into the whole process is a complete different experience form Duo, reports what reports ! Microsoft = NO reports of value... with out PowerShell.
It is not approved Microsoft process to pre publish the 2fa web page for the user to fill out. You will notice the apppassword tab is missing as when till enabled.
That is not correct. Microsoft officially says here that:
Once you enable the conditional access policy, users will be forced to enroll the next time they use an app protected with the policy. If you enable a policy requiring MFA for all users on all cloud apps, this action could cause headaches for your users and your helpdesk. The recommendation is to ask users to register authentication methods beforehand using the registration portal at https://aka.ms/mfasetup. Many organizations find that creating posters, table cards, and email messages helps drive adoption.
- Magnus TengmoNov 29, 2018Copper ContributorWe let enduser pre-enroll MFA via https://aka.ms/mfasetup, but later Enable the enduser for MFA. After that, the possibilty to setup apppassword exists.
Using Conditional access will only let you force MFA for modern authentication, it doesn´t "disable" legacy authentication with apppasswords.
Or have I missunderstood this?- ArjanCornelissenDec 09, 2018Brass Contributor
Disabling legacy authentication can be done with Conditional Access.
Follow these steps
- Create a new policy
- Select the users that you want this enabled on
- Under conditions select Client apps and only select Other clients
- Go to grant and select block access
- Save this policy
See the attached image