- last edited on
We are working on a plan to force MFA for none trusted IPs. But most of our users have not setup MFA yet. I'm concerned the setup process isn't simple enough and thinking about risk. How do you allow users to setup MFA securely.
I mean if they don't have MFA setup yet, how do you verify its them setting up MFA? All they would need to setup MFA is the username/password.
01-08-2020 07:32 AM
01-08-2020 08:24 AM
01-08-2020 09:04 AM
01-08-2020 02:44 PM
01-08-2020 07:21 PM
01-09-2020 05:26 AM
As has been mentioned a couple of times above, you can secure the MFA registration process using Conditional Access policies - I wrote about this a while ago (when it entered preview) if you wanted some more context / background. See here: Security Information Registration & Conditional Access.
In short, CA allows you to determine the conditions under which Security Information can be registered, trusted location, compliant device, specific restrictions for high profile users etc. It's a highly flexible way of controlling registration.
Good luck! :)