Forum Discussion
Disable MFA 14 day grace period?
Just looking for some advice here...
Is it possible to disable/remove the 14 day "grace period" for MFA registration for new users?
Premium subscription being used. Customer wants all new users to be forced to set up MFA when they first log in and not allow them to skip for 14 days.
I can't find anywhere to disable this? Security defaults is not enabled. A 3rd party service is being used for SSPR.
Thanks.
7 Replies
# install Graph module before start # Install-Module Microsoft.Graph -Scope AllUsers -Repository PSGallery -Force Connect-MgGraph -Scopes "Directory.AccessAsUser.All" $users = Get-MgUser -All | Select-Object UserPrincipalName, Id # getting list of not enabled MFA users $usersWithoutMfa = @() foreach ($user in $users) { $userId = $user.Id $userUPN = $user.UserPrincipalName Write-Host "Checking MFA status for user: $userUPN" -ForegroundColor Yellow # Fetch the user's MFA status $mfaStatus = Invoke-MgGraphRequest -Method GET -Uri "/beta/users/$userId/authentication/requirements" $mfaStatus.perUserMfaState # Check if MFA is already enabled if ($mfaStatus.perUserMfaState -in @('enabled','enforced')) { Write-Host "MFA is already enabled for user: $userUPN" -ForegroundColor Green } else { Write-Host "MFA is not enabled for user: $userUPN. Enabling now..." -ForegroundColor Red $usersWithoutMfa+=$user } } $usersWithoutMfa.count $usersWithoutMfa.UserPrincipalName # Set MFA # Go through each user and enable MFA foreach ($user in $usersWithoutMfa) { $userId = $user.Id $userUPN = $user.UserPrincipalName Write-Host "Enabling MFA for user: $userUPN" -ForegroundColor Green # MFA status $body = @{ "perUserMfaState" = "enabled" } # Invoke the request to update MFA status Invoke-MgGraphRequest -Method PATCH -Uri "/beta/users/$userid/authentication/requirements" -Body $body } Write-Host "MFA status has been enabled for all users." -ForegroundColor CyanOr use some powershell script like this to get a list of not MFA enabled users and enable MFA for them
You can manually enforce MFA for some user via
Per-user multifactor authentication - Microsoft Entra admin center- Hi Luke,
You could use Azure AD Conditional Access to enforce MFA when users access O365 from an untrusted network. This was users will be forced to register for MFA as soon as they access 365 resources.
You could also enforce MFA registration from the trusted network only. This way users will be able to access O365 only after registering MFA and only from the trusted network.
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-registration-mfa-sspr-combined
I hope it helps
AntonsThanks for your reply.
"You could use Azure AD Conditional Access to enforce MFA when users access O365 from an untrusted network."
I believe this is already configured, and what we are seeing is not many people are registering because not many are accessing M365 outside of work or outside of trusted devices/networks so that is why they are looking at this alternative...
"You could also enforce MFA registration from the trusted network only. This way users will be able to access O365 only after registering MFA"
Could potentially be an option however you went on to say "and only from the trusted network."
What do you mean "and only from the trusted network"?
Do you mean that they would be forced to register while connected to the trusted network and then they would be unable to access M365 services from outside of the trusted network once registered?
Or they would be forced to register, but they will be able to access from anywhere that Conditional Access policies permit once they have registered for MFA?
I don't want a scenario where users are forced to register for MFA and then can't do something like logging on to OWA on their home PC for example. That would not be ideal.
Look forward to hearing from you regarding that suggestion further. Thanks!!
You need Identity Protection in order to get the 14-day grace period, and Identity Protection requires an Azure AD Premium P2 license. If you are premium user then MFA will be enforced once you enable MFA via conditional access then the user cannot bypass it
This is discussed by a content author in this Github issue:
Security defaults will trigger a 14 day grace period for registration after a user's first login and security defaults being enabled. After 14 days users will be required to register for MFA and will not be able to skip.
Conditional Access by itself without Azure Identity Protection does not allow for the 14 day grace period. Identity Protection includes the registration policy that allows registration on its own with no apps assigned to the policy. If a Conditional Access policy requires Multi-Factor Authentication then the user must be able to pass that MFA request.
Thank you for your response, however, this isn't what I'm looking for.
I stated in my post that the organization does not use security defaults and they are already on a Premium subscription for Azure.
We want to enforce MFA registration immediately.
We don't want users to have the option to defer registration for 14 days.
Current behaviour: User logs in for first time - has option "skip for now (14 days until this is required)"
Desired behaviour: User logs in for first time - has to set up MFA to continue.
Did you ever find a solution for this? We would also like to turn off the grace period so they are prompted to set up MFA immediately without being able to bypass.
