Forum Discussion
MFA catch-22 during onboarding due to registration policy
Hi,
We are experiencing a catch-22 scenario during user onboarding related to MFA.
New users are required to install the Microsoft Authenticator app via our Company Portal. However, they are prompted to complete MFA registration before they can access or download anything from the Company Portal. Since they do not yet have the Authenticator app installed, they are effectively blocked from completing the MFA setup.
From our investigation, it appears that the Multi-Factor Authentication registration policy is enforcing MFA registration for new users. In our scenario, this creates a circular dependency.
We have attempted to exclude our office network from MFA using Conditional Access, but this does not resolve the issue because the MFA registration policy is triggered before Conditional Access policies are evaluated.
Our questions:
- Is there a recommended way to handle MFA onboarding in this type of scenario?
- Can Conditional Access policies be used instead of the MFA registration policy for initial MFA enrollment?
1 Reply
You don't need to use the registration policy, even without it the users will be prompted to register methods the first time they try to access any MFA-protected app. Also, you can scope a CA policy to the registration process itself: https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-all-users-security-info-registration
Alternatively, consider using methods such as TAP for the initial account provisioning.
