Jan 08 2020
07:29 AM
- last edited on
Jan 14 2022
04:35 PM
by
TechCommunityAP
Jan 08 2020
07:29 AM
- last edited on
Jan 14 2022
04:35 PM
by
TechCommunityAP
We are working on a plan to force MFA for none trusted IPs. But most of our users have not setup MFA yet. I'm concerned the setup process isn't simple enough and thinking about risk. How do you allow users to setup MFA securely.
I mean if they don't have MFA setup yet, how do you verify its them setting up MFA? All they would need to setup MFA is the username/password.
jb
Jan 08 2020 07:32 AM
Jan 08 2020 08:24 AM
Jan 08 2020 09:04 AM
Jan 08 2020 02:44 PM
Jan 08 2020 07:21 PM
Jan 09 2020 05:26 AM
Hi @Jason_Benway,
As has been mentioned a couple of times above, you can secure the MFA registration process using Conditional Access policies - I wrote about this a while ago (when it entered preview) if you wanted some more context / background. See here: Security Information Registration & Conditional Access.
In short, CA allows you to determine the conditions under which Security Information can be registered, trusted location, compliant device, specific restrictions for high profile users etc. It's a highly flexible way of controlling registration.
Good luck! 🙂
Kelvin