Forum Discussion

Locomotive's avatar
Locomotive
Copper Contributor
Feb 17, 2026

MFA catch-22 during onboarding due to registration policy

Hi,

 

We are experiencing a catch-22 scenario during user onboarding related to MFA.

 

New users are required to install the Microsoft Authenticator app via our Company Portal. However, they are prompted to complete MFA registration before they can access or download anything from the Company Portal. Since they do not yet have the Authenticator app installed, they are effectively blocked from completing the MFA setup.

 

From our investigation, it appears that the Multi-Factor Authentication registration policy is enforcing MFA registration for new users. In our scenario, this creates a circular dependency.

 

We have attempted to exclude our office network from MFA using Conditional Access, but this does not resolve the issue because the MFA registration policy is triggered before Conditional Access policies are evaluated.

 

Our questions:

 

  • Is there a recommended way to handle MFA onboarding in this type of scenario?
  • Can Conditional Access policies be used instead of the MFA registration policy for initial MFA enrollment?

 

1 Reply