Oct 20 2021 02:39 AM
Oct 20 2021 07:30 AM - edited Oct 20 2021 07:31 AM
You need Identity Protection in order to get the 14-day grace period, and Identity Protection requires an Azure AD Premium P2 license. If you are premium user then MFA will be enforced once you enable MFA via conditional access then the user cannot bypass it
This is discussed by a content author in this Github issue:
Security defaults will trigger a 14 day grace period for registration after a user's first login and security defaults being enabled. After 14 days users will be required to register for MFA and will not be able to skip.
Conditional Access by itself without Azure Identity Protection does not allow for the 14 day grace period. Identity Protection includes the registration policy that allows registration on its own with no apps assigned to the policy. If a Conditional Access policy requires Multi-Factor Authentication then the user must be able to pass that MFA request.
Oct 20 2021 08:29 AM
Oct 20 2021 03:05 PM
Thank you for your response, however, this isn't what I'm looking for.
I stated in my post that the organization does not use security defaults and they are already on a Premium subscription for Azure.
We want to enforce MFA registration immediately.
We don't want users to have the option to defer registration for 14 days.
Current behaviour: User logs in for first time - has option "skip for now (14 days until this is required)"
Desired behaviour: User logs in for first time - has to set up MFA to continue.
Oct 20 2021 03:13 PM
Thanks for your reply.
"You could use Azure AD Conditional Access to enforce MFA when users access O365 from an untrusted network."
I believe this is already configured, and what we are seeing is not many people are registering because not many are accessing M365 outside of work or outside of trusted devices/networks so that is why they are looking at this alternative...
"You could also enforce MFA registration from the trusted network only. This way users will be able to access O365 only after registering MFA"
Could potentially be an option however you went on to say "and only from the trusted network."
What do you mean "and only from the trusted network"?
Do you mean that they would be forced to register while connected to the trusted network and then they would be unable to access M365 services from outside of the trusted network once registered?
Or they would be forced to register, but they will be able to access from anywhere that Conditional Access policies permit once they have registered for MFA?
I don't want a scenario where users are forced to register for MFA and then can't do something like logging on to OWA on their home PC for example. That would not be ideal.
Look forward to hearing from you regarding that suggestion further. Thanks!!