MFA catch-22 during onboarding due to registration policy

Hey, 

It is not strictly necessary to utilize the registration policy, since users will automatically be prompted to register their authentication methods the first time they attempt to access an MFA-enabled application anyway. This means that the enrollment of the user’s methods will still occur at the appropriate time, while at the same time providing more flexibility for the implementation of the solution.

Furthermore, it is possible to utilize a Conditional Access policy, which is specifically targeted at the security info registration process. This enables the organization to control conditions such as trusted locations, devices, and user groups, and helps to avoid the creation of circular dependencies during the enrollment process.

By utilizing this approach, it is possible to simplify the initial onboarding process, making it more user-friendly and at the same time ensuring security for the enrollment process of the MFA methods.

Another option is using a Temporary Access Pass (TAP) during initial account setup. It can make it easier to enable MFA for the first time, reducing those circular problems.

Best regards,

Bence

The behavior you are seeing is expected.

The Authentication Methods Registration Policy is evaluated before the Conditional Access policies. Therefore, excluding the corporate network via Conditional Access does not solve the problemthe block occurs at the method registration stage, not at the authorization stage.

In your scenario, there is a circular dependency:

The user needs to register MFA

The only method allowed is Microsoft Authenticator

The user cannot install Authenticator because they have not yet completed registration

Recommended approach

The recommended practice for onboarding in these cases is to use Temporary Access Pass (TAP).

TAP allows the user to:

log in for the first time with a secure temporary method

register Microsoft Authenticator

complete the initial MFA setup

TAP acts as a temporary strong authentication method to bootstrap MFA registration, eliminating circular dependency without reducing security.

About using Conditional Access instead of the registration policy

No. Conditional Access does not replace the authentication method registration policy, as they are different controls. Method registration always occurs before Conditional Access evaluation.

I would make the Microsoft Authenticator pushed by default to the devices assuming these are company devices. This will reduce the amount of steps users are required to do during onboarding and will also solve for the problem of needing to sign into the company portal. 

As Vasil suggested, I would start to move the business into the direction of assigning TAP codes for initial onboarding, this will also prevent these loops you are seeing with conditional access and MFA registration policies. 

You don't need to use the registration policy, even without it the users will be prompted to register methods the first time they try to access any MFA-protected app. Also, you can scope a CA policy to the registration process itself: https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-all-users-security-info-registration 

Alternatively, consider using methods such as TAP for the initial account provisioning.