Forum Discussion
Entra ID Identity Protection - MFA registration policy
Your situation involves implementing an MFA enrollment policy in Azure, specifically using Entra ID Identity Protection and dealing with challenges related to licensing and technical restrictions. I will address the issue in parts to offer a clearer solution.
Understanding Entra ID P2 License and MFA Registration Policy
Azure AD Identity Protection, a part of Microsoft Entra, provides advanced identity protection features, including the MFA registration policy, which requires Azure AD Premium P2 licenses. This means that only users with this license can directly benefit from the identity protection policies, including the mandatory MFA registration.
Activating MFA Registration Policy for Licensed Users
When you activate the MFA registration policy for "all users," the system will not automatically filter out users based on the presence of a valid Azure AD P2 license. This means the policy will attempt to be applied to all users, but will only be effective for those with the necessary licenses.
Recommended Solution: Dynamic Groups
The most effective solution is to create dynamic groups in Azure AD to segment users based on license types, including those with Azure AD Premium P2. This allows for the MFA registration policy from Entra ID Identity Protection to be specifically applied to licensed users, avoiding license compliance issues.
Steps to Implement:
1. Create Dynamic Groups:
- Use rules in dynamic groups to include users with specific Azure AD Premium P2 licenses. You can use rule expressions based on user license attributes.
2. Apply MFA Registration Policy:
- Apply the Entra ID Identity Protection MFA registration policy to these dynamic groups. This ensures only users with the appropriate licenses are required to register for MFA.
3. Monitoring and Adjustments:
- Monitor the effectiveness of the policy and make adjustments as needed, especially if there are changes in license distribution or security requirements.
Considerations Regarding SSPR (Self-Service Password Reset)
You mentioned the inability to utilize combined user registration with SSPR, which might be a limitation in some scenarios. However, focusing on the MFA registration policy through Identity Protection is a solid approach to enhancing security.
Conclusion
For mixed-license environments like yours, using dynamic groups to segment users based on P2 license availability and applying targeted security policies is the recommended strategy. This maximizes MFA registration policy coverage within the limitations of available licenses and maintains compliance with Microsoft's licensing policies.
Thank you for a well informed and well structured response.
Very much appreciated indeed!
I have been (since yesterday) checking and testing the SSPR feature "require users to reconfirm their registered information" as a possible solution with a dynamic group that look for accounts that are 1 week of age or less. This means the dynamic group will only have new accounts and then require them to register security information (and put SSPR enabled to this specific dynamic group). However, my challenge then is to exclude group/service accounts as they should not be covered.
We will see, ive also explored the option to only cover a specific app (and make an appregistration with a website or sharepoint site) that is covered with the MFA requierment through CA. But then again, if a new user is not visiting that app the on-boarding will not happen, then i could theoretically just advice them to register MFA methods under myaccount (aka.ms/mfasetup etc).
Thank you, i have some thinkinering to do and we will see what solution (perhaps multiple) i have to use and consider. It is indeed a struggle when an internal network needs to be excluded from CA.