SOLVED

(AAD) I want to force security info registration only for certain users

%3CLINGO-SUB%20id%3D%22lingo-sub-1141140%22%20slang%3D%22en-US%22%3E(AAD)%20I%20want%20to%20force%20security%20info%20registration%20only%20for%20certain%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1141140%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20seems%20silly%20but%20I'm%20not%20seeing%20a%20way%3A%20The%20bulk%20of%20my%20users%20won't%20be%20licensed%20for%20MFA%2FSSPR%2C%20so%20I%20only%20want%20to%20force%20security%20info%20registration%20during%20logon%20for%20users%20that%20are%20assigned%20one%20of%20our%20AADPP1%20licenses.%20How%20can%20I%20accomplish%20this%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1141140%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Active%20Directory%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMulti-Factor%20Authentication%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1142836%22%20slang%3D%22en-US%22%3ERe%3A%20(AAD)%20I%20want%20to%20force%20security%20info%20registration%20only%20for%20certain%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1142836%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F365532%22%20target%3D%22_blank%22%3E%40ajm-b%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20could%20create%20a%20dynamic%20group%20that%20contains%20all%20licensed%20users%20and%20scope%20the%20conditional%20access%20policies%20to%20them%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2F365bythijs.be%2F2020%2F01%2F20%2Fcreating-a-dynamic-group-with-all-aad-premium-licensed-users%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2F365bythijs.be%2F2020%2F01%2F20%2Fcreating-a-dynamic-group-with-all-aad-premium-licensed-users%2F%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1142852%22%20slang%3D%22en-US%22%3ERe%3A%20(AAD)%20I%20want%20to%20force%20security%20info%20registration%20only%20for%20certain%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1142852%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F186539%22%20target%3D%22_blank%22%3E%40Thijs%20Lecomte%3C%2FA%3Ethanks%20for%20the%20feedback!%20Could%20you%20clarify%20something%3F%20So%20requiring%20MFA%20via%20Conditional%20Access%20policy%20on%20an%20account%20that%20hasn't%20yet%20registered%20will%20prompt%20them%20to%20register%20during%20their%20next%20sign-on%20instead%20of%20just%20locking%20them%20out%2C%20correct%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1142898%22%20slang%3D%22en-US%22%3ERe%3A%20(AAD)%20I%20want%20to%20force%20security%20info%20registration%20only%20for%20certain%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1142898%22%20slang%3D%22en-US%22%3EJup!%20It%20will%20require%20them%20to%20register.%3CBR%20%2F%3E%3CBR%20%2F%3EYou%20will%20not%20lock%20them%20out%20through%20CA%3C%2FLINGO-BODY%3E
Occasional Contributor

This seems silly but I'm not seeing a way: The bulk of my users won't be licensed for MFA/SSPR, so I only want to force security info registration during logon for users that are assigned one of our AADPP1 licenses. How can I accomplish this?

3 Replies

@ajm-b 

 

You could create a dynamic group that contains all licensed users and scope the conditional access policies to them: https://365bythijs.be/2020/01/20/creating-a-dynamic-group-with-all-aad-premium-licensed-users/

@Thijs Lecomtethanks for the feedback! Could you clarify something? So requiring MFA via Conditional Access policy on an account that hasn't yet registered will prompt them to register during their next sign-on instead of just locking them out, correct?

best response confirmed by ajm-b (Occasional Contributor)
Solution
Jup! It will require them to register.

You will not lock them out through CA