SOLVED

MFA registration with Conditional access rules enabled

Brass Contributor

Run into a seemingly silly issue that I'm hoping someone can provide a simple answer.

 

  1. We have setup Entra ID with MFA
  2. We have setup Conditional access rules that require a user to do MFA with outside Trusted locations (our offices basically)
  3. A new user starts and are working from home.
  4. They are prompted for MFA but they can't setup MFA because the CA rule requires them to perform MFA first. 
  5. GoTo 4

 

Is there a way to allow a login and not get prompted for MFA if they need to register for MFA the first time?

3 Replies
Can't think of an elegant solution to this problem but here are some things that come to mind;

- add a temporary time-limited MFA bypass in Entra ID, this is referred to one-time bypass.
- is VPN an option for you? The VPN segment could be added to the trusted locations list.
- if you have one, use a jump server or Azure Virtual Desktop (AVD). You can have them connect there first. This of course also assumes these machines are or can be added to the trusted locations list.
best response confirmed by lfk73 (Brass Contributor)
Solution
To resolve this, you need to adjust your Conditional Access policies to allow new users to register for MFA from untrusted locations. Here's a step-by-step approach to resolve this issue:

1) Temporary Access for Registration: Create a temporary Conditional Access policy or modify the existing one to allow users to register for MFA from untrusted locations. This policy should be specifically targeted at users who have not completed their MFA registration. You can use the "Users and groups" condition to target these users specifically.

2) Use a One-Time Bypass: Depending on the specifics of your MFA setup, you might be able to issue a one-time bypass code for MFA. This allows the user to bypass MFA temporarily to set it up properly.

3) Trusted Device or Location: Another option is to allow MFA registration from a trusted device or location. For instance, you could have a policy that allows users to register for MFA when they're connected to your network via VPN or from a specific device.

4) Grace Period: Some MFA solutions offer a grace period for new users, during which they can complete their MFA registration. You can check if your system has such a feature and enable it.

5) Role-Based Conditions: If possible, apply the MFA requirement based on roles. New users could be assigned a temporary role that does not require MFA until they have it set up.

6) Communication and Support: Inform new users of the MFA registration process and provide them with clear instructions. Make sure they know whom to contact for support if they run into issues.

7) Testing: Always test your Conditional Access policies to ensure they work as intended without locking out legitimate users.

After the user has registered for MFA, you can revert the changes to your Conditional Access policies, maintaining the security posture you desire.

Remember, the specific steps might vary based on the specifics of your setup (like the MFA solution you're using), but the general approach should help you resolve this issue.
1 best response

Accepted Solutions
best response confirmed by lfk73 (Brass Contributor)
Solution
To resolve this, you need to adjust your Conditional Access policies to allow new users to register for MFA from untrusted locations. Here's a step-by-step approach to resolve this issue:

1) Temporary Access for Registration: Create a temporary Conditional Access policy or modify the existing one to allow users to register for MFA from untrusted locations. This policy should be specifically targeted at users who have not completed their MFA registration. You can use the "Users and groups" condition to target these users specifically.

2) Use a One-Time Bypass: Depending on the specifics of your MFA setup, you might be able to issue a one-time bypass code for MFA. This allows the user to bypass MFA temporarily to set it up properly.

3) Trusted Device or Location: Another option is to allow MFA registration from a trusted device or location. For instance, you could have a policy that allows users to register for MFA when they're connected to your network via VPN or from a specific device.

4) Grace Period: Some MFA solutions offer a grace period for new users, during which they can complete their MFA registration. You can check if your system has such a feature and enable it.

5) Role-Based Conditions: If possible, apply the MFA requirement based on roles. New users could be assigned a temporary role that does not require MFA until they have it set up.

6) Communication and Support: Inform new users of the MFA registration process and provide them with clear instructions. Make sure they know whom to contact for support if they run into issues.

7) Testing: Always test your Conditional Access policies to ensure they work as intended without locking out legitimate users.

After the user has registered for MFA, you can revert the changes to your Conditional Access policies, maintaining the security posture you desire.

Remember, the specific steps might vary based on the specifics of your setup (like the MFA solution you're using), but the general approach should help you resolve this issue.

View solution in original post