MFA catch-22 during onboarding due to registration policy

Hey, 

It is not strictly necessary to utilize the registration policy, since users will automatically be prompted to register their authentication methods the first time they attempt to access an MFA-enabled application anyway. This means that the enrollment of the user’s methods will still occur at the appropriate time, while at the same time providing more flexibility for the implementation of the solution.

Furthermore, it is possible to utilize a Conditional Access policy, which is specifically targeted at the security info registration process. This enables the organization to control conditions such as trusted locations, devices, and user groups, and helps to avoid the creation of circular dependencies during the enrollment process.

By utilizing this approach, it is possible to simplify the initial onboarding process, making it more user-friendly and at the same time ensuring security for the enrollment process of the MFA methods.

Another option is using a Temporary Access Pass (TAP) during initial account setup. It can make it easier to enable MFA for the first time, reducing those circular problems.

Best regards,

Bence