SOLVED

Enforce the user to enter their security info before MFA is enabled

%3CLINGO-SUB%20id%3D%22lingo-sub-1809378%22%20slang%3D%22en-US%22%3EEnforce%20the%20user%20to%20enter%20their%20security%20info%20before%20MFA%20is%20enabled%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1809378%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20question%20is%20very%20simple%3A%3C%2FP%3E%3CP%3E%3CSTRONG%3ECan%20I%20enforce%20the%20user%20to%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fuser-help%2Fsecurity-info-setup-signin%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Eset%20up%20their%20Security%20info%20from%20a%20sign-in%20prompt%3C%2FA%3E%20a%20few%20days%20before%20I%20enforce%20the%20user%20to%20use%20MFA%3F%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20preparing%20the%20MFA%20rollout%20and%20I%20can%20see%20Microsoft%20documented%20the%20process%20of%20how%20to%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fuser-help%2Fsecurity-info-setup-signin%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ESet%20up%20your%20Security%20info%20from%20a%20sign-in%20prompt%3C%2FA%3E.%20By%20the%20way%2C%20the%20user%20experience%20which%20is%20documented%20over%20there%20can%20be%20seen%20on%20new%20tenants%20or%20after%20you%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fhowto-registration-mfa-sspr-combined%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Eenable%20combined%26nbsp%3Bsecurity%20information%20registration%20in%20Azure%20Active%20Directory%3C%2FA%3E%26nbsp%3Bat%20your%20old%20tenant.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20very%20first%20screen%20on%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fuser-help%2Fsecurity-info-setup-signin%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ethat%3C%2FA%3E%20page%20triggered%20my%20curiosity%20on%20how%20to%20make%20it%20before%20the%20MFA%20is%20enabled%20for%20the%20user.%20I%20found%20the%20article%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fconcept-registration-mfa-sspr-combined%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ECombined%20security%20information%20registration%20for%20Azure%20Active%20Directory%20overview%3C%2FA%3E%26nbsp%3Bwhere%20there%20is%20a%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fconcept-registration-mfa-sspr-combined%23set-up-security-info-during-sign-in%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Euse%20case%3C%2FA%3E%20I%20need%20to%20implement%2C%20but%20not%20documented.%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20you%20tell%20me%20if%20this%20is%20possible%20and%20If%20yes%2C%20give%20me%20a%20tip%20on%20what%20to%20do%20to%20make%20it%20happen%2C%20please%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBy%20the%20way%20-%20the%20%3CSTRONG%3ERequire%20Re-register%20MFA%3C%2FSTRONG%3E%20option%20when%20the%20user%20is%20not%20enforced%20to%20use%20MFA%20doesn't%20trigger%20this%20setup%20security%20info%20request%20during%20the%20sign-in%20process.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1809378%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAccess%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%20Management%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1809521%22%20slang%3D%22en-US%22%3ERe%3A%20Enforce%20the%20user%20to%20enter%20their%20security%20info%20before%20MFA%20is%20enabled%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1809521%22%20slang%3D%22en-US%22%3EOne%20way%20is%20to%20do%20this%20through%20Identity%20Protection%20(it%20requires%20a%20P2%20license%20though)%20%3D%26gt%3B%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fidentity-protection%2Fhowto-identity-protection-configure-mfa-policy%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fidentity-protection%2Fhowto-identity-protection-configure-mfa-policy%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EKnow%20that%20you%20can%20also%20preprovision%20MFA%20for%20a%20user.%20This%20is%20a%20pretty%20cool%20way%20to%20do%20it%20%3D%26gt%3B%20%3CA%20href%3D%22https%3A%2F%2Fjanbakker.tech%2Fprepopulate-phone-methods-for-mfa-and-sspr-using-graph-api%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fjanbakker.tech%2Fprepopulate-phone-methods-for-mfa-and-sspr-using-graph-api%2F%3C%2FA%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

 

The question is very simple:

Can I enforce the user to set up their Security info from a sign-in prompt a few days before I enforce the user to use MFA?

 

I am preparing the MFA rollout and I can see Microsoft documented the process of how to Set up your Security info from a sign-in prompt. By the way, the user experience which is documented over there can be seen on new tenants or after you enable combined security information registration in Azure Active Directory at your old tenant.  

 

The very first screen on that page triggered my curiosity on how to make it before the MFA is enabled for the user. I found the article Combined security information registration for Azure Active Directory overview where there is a use case I need to implement, but not documented. 

Can you tell me if this is possible and If yes, give me a tip on what to do to make it happen, please?

 

By the way - the Require Re-register MFA option when the user is not enforced to use MFA doesn't trigger this setup security info request during the sign-in process. 

 

 

2 Replies
Best Response confirmed by Michal_Z (Occasional Contributor)
Solution
One way is to do this through Identity Protection (it requires a P2 license though) => https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protectio...

Know that you can also preprovision MFA for a user. This is a pretty cool way to do it => https://janbakker.tech/prepopulate-phone-methods-for-mfa-and-sspr-using-graph-api/

@Thijs Lecomte 

Great content. Thx a lot. I will go through it tomorrow. But I already see the value.