Staged rollout of MFA

Copper Contributor

Hello,

 

I'm planning to rollout MFA for all users. Since there are about 300 users I want to have a staged rollout. I already switched from legacy to Azure AD Authentication. I created a new group "MFA-Users" and matched it to the Authentication method "Microsoft Authenticator" as explicit allowed. The same I did with the registration campaign.

But somehow when I add a new user without MFA to this group, he doesn't get triggered to register for MFA.

I read somewhere that I need to enable the Security defaults as well, but it seems that then every user needs to set up MFA right away.

The given documentation has still lots of references to the old Azure Admin Center instead of Microsoft Entra.

Basically I just need the neccessary steps to deploy MFA staged to each user using the new settings for registration and Authentication Policies.

We use Business Basic and Standard licences mixed with the included Azure AD Free license.

2 Replies
MFA Default Configuration link
https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/security-defaults
entra admin center ->identity -> Overview -> properties -> Security defaults ->enable
once you enable all user need to register MFA , default
You Need Manage MFA need premium license , Azure AD P1 license (office Business Premium , E3,E5)
license details please find below link
https://www.microsoft.com/en-us/security/business/microsoft-entra-pricing
So "Security defaults" enables MFA at all and the Authentication methods define who can use which method then?
What would happen if a user is not allowed to use any method but the Security defaults are toggeld on?
As I mentioned above we only have Azure Free license and prefer a solution without license upgrade.