Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

Entra ID Identity Protection - MFA registration policy

Brass Contributor

Hello Everyone,
Ive been reading up a lot on the possibility to enforce MFA registrations for users in different types of tenants. Until recently ive always used CA policies to enforce the MFA requirement and follow ring-based deployments. Then i had a few instances where i was able to use Entra ID Identity protection "MFA Registration Policy" and target each ring group instead. These has all been E5 tenants. However, now im encountering a tenant where i can not use CA rules to enforce (this specific network must be excluded) and not everyone has Entra ID P2 licenses covering all the users (so i can not use the Entra Identity Protection "MFA Registration Policy") - However, i would love to use the policy for the amount of users that has the License. 
So my question is, if i activate the "MFA Registration Policy" for "all users" - will it be smart enough to only target those with valid licenses or do i need to create dynamic groups to single out all the 5-6 different licenses types that includes the P2 ?

The more i read on recent changes in both product pages, learn and elsewhere im unable to find if i can actually use "MFA Registration Policy" with or without licenses - so if anyone is able to point me in the right direction here i would be happy to.

Much appreciated.



edit: I also know about the SSPR and get the "combined registration", however, in this instance we are unable to use SSPR. (alltho, it seems i can target an empty group with SSPR, enable it, and have some sort enforcement this way, but it seems to "the wrong way").

What i wish to achieve is every new account should register for MFA in an environment where i can not cover  "the office location" with a CA that enforce MFA. I can not use SSPR combined user registration and therefor im looking into Identity protection MFA registration Policy but unclear about license requirement.

2 Replies
Hello @john66571
Your situation involves implementing an MFA enrollment policy in Azure, specifically using Entra ID Identity Protection and dealing with challenges related to licensing and technical restrictions. I will address the issue in parts to offer a clearer solution.

Understanding Entra ID P2 License and MFA Registration Policy
Azure AD Identity Protection, a part of Microsoft Entra, provides advanced identity protection features, including the MFA registration policy, which requires Azure AD Premium P2 licenses. This means that only users with this license can directly benefit from the identity protection policies, including the mandatory MFA registration.

Activating MFA Registration Policy for Licensed Users
When you activate the MFA registration policy for "all users," the system will not automatically filter out users based on the presence of a valid Azure AD P2 license. This means the policy will attempt to be applied to all users, but will only be effective for those with the necessary licenses.

Recommended Solution: Dynamic Groups
The most effective solution is to create dynamic groups in Azure AD to segment users based on license types, including those with Azure AD Premium P2. This allows for the MFA registration policy from Entra ID Identity Protection to be specifically applied to licensed users, avoiding license compliance issues.

Steps to Implement:
1. Create Dynamic Groups:
- Use rules in dynamic groups to include users with specific Azure AD Premium P2 licenses. You can use rule expressions based on user license attributes.

2. Apply MFA Registration Policy:
- Apply the Entra ID Identity Protection MFA registration policy to these dynamic groups. This ensures only users with the appropriate licenses are required to register for MFA.

3. Monitoring and Adjustments:
- Monitor the effectiveness of the policy and make adjustments as needed, especially if there are changes in license distribution or security requirements.

Considerations Regarding SSPR (Self-Service Password Reset)
You mentioned the inability to utilize combined user registration with SSPR, which might be a limitation in some scenarios. However, focusing on the MFA registration policy through Identity Protection is a solid approach to enhancing security.

For mixed-license environments like yours, using dynamic groups to segment users based on P2 license availability and applying targeted security policies is the recommended strategy. This maximizes MFA registration policy coverage within the limitations of available licenses and maintains compliance with Microsoft's licensing policies.


Thank you for a well informed and well structured response.
Very much appreciated indeed!

I have been (since yesterday) checking and testing the SSPR feature "require users to reconfirm their registered information" as a possible solution with a dynamic group that look for accounts that are 1 week of age or less. This means the dynamic group will only have new accounts and then require them to register security information (and put SSPR enabled to this specific dynamic group). However, my challenge then is to exclude group/service accounts as they should not be covered.

We will see, ive also explored the option to only cover a specific app (and make an appregistration with a website or sharepoint site) that is covered with the MFA requierment through CA. But then again, if a new user is not visiting that app the on-boarding will not happen, then i could theoretically just advice them to register MFA methods under myaccount ( etc).

Thank you, i have some thinkinering to do and we will see what solution (perhaps multiple) i have to use and consider. It is indeed a struggle when an internal network needs to be excluded from CA.