SOLVED

MFA: can I make registering MFA optional but then require it for signing in?

%3CLINGO-SUB%20id%3D%22lingo-sub-500319%22%20slang%3D%22en-US%22%3EMFA%3A%20can%20I%20make%20registering%20MFA%20optional%20but%20then%20require%20it%20for%20signing%20in%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-500319%22%20slang%3D%22en-US%22%3E%3CP%3ECan%20I%20make%20registering%20for%20Azure%20MFA%20optional%20but%20if%20it%20is%20configured%20on%20an%20account%20then%20require%20it%20for%20signing%20in%3F%26nbsp%3B%3C%2FP%3E%3CP%3EExample%3A%20If%20I%20set%20up%20MFA%20on%20an%20account%20that%20is%20not%20MFA-enabled%20or%20MFA-enforced%2C%20then%20MFA%20is%20not%20required%20to%20log%20in%2C%20but%20if%20I%20enable%20MFA%20for%20an%20account%2C%20then%20the%20user%20must%20set%20up%20MFA%20immediately.%26nbsp%3B%3C%2FP%3E%3CP%3E(I%20hope%20this%20makes%20sense.)%20A%20lot%20of%20consumer%20sites%20make%20two-factor%20auth%20optional%20but%20will%20enforce%20it%20after%20you%20set%20it%20up.%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20want%20people%20who%20are%20concerned%20about%20security%20to%20register%20for%20and%20use%20MFA%2C%20but%20we%20give%20a%20grace%20period%20for%20those%20resisting%20the%20idea.%26nbsp%3B%20Thank%20you.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-500417%22%20slang%3D%22en-US%22%3ERe%3A%20MFA%3A%20can%20I%20make%20registering%20MFA%20optional%20but%20then%20require%20it%20for%20signing%20in%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-500417%22%20slang%3D%22en-US%22%3E%3CP%3EIt%20depends%20on%20how%20you%20are%20configuring%20MFA.%20If%20it's%20via%20the%20MFA%20portal%2C%20the%20user%20will%20have%20to%20register%20after%20his%20currently%20valid%20token%20expires.%20If%20it's%20via%20Conditional%20access%20policy%2C%20the%20user%20will%20have%20to%20register%20only%20when%20it%20hits%20some%20resource%20that%20requires%20MFA.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-500456%22%20slang%3D%22en-US%22%3ERe%3A%20MFA%3A%20can%20I%20make%20registering%20MFA%20optional%20but%20then%20require%20it%20for%20signing%20in%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-500456%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3BI%20%3CEM%3Eonly%3C%2FEM%3E%20want%20to%20require%20MFA%20%3CEM%3Eif%3C%2FEM%3E%20the%20user%20has%20registered%20for%20it.%20Is%20this%20possible%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-500504%22%20slang%3D%22en-US%22%3ERe%3A%20MFA%3A%20can%20I%20make%20registering%20MFA%20optional%20but%20then%20require%20it%20for%20signing%20in%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-500504%22%20slang%3D%22en-US%22%3E%3CP%3EMFA%20is%20not%20a%20self-service%2C%20you%20as%20the%20admin%20determine%20which%20users%20require%20it%20(either%20by%20directly%20enforcing%20or%20using%20CA%20policy)%2C%20and%20only%20then%20the%20users%20can%20register.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-500595%22%20slang%3D%22en-US%22%3ERe%3A%20MFA%3A%20can%20I%20make%20registering%20MFA%20optional%20but%20then%20require%20it%20for%20signing%20in%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-500595%22%20slang%3D%22en-US%22%3EOK%2C%20that%20answers%20my%20question.%20Thank%20you!%3C%2FLINGO-BODY%3E
Contributor

Can I make registering for Azure MFA optional but if it is configured on an account then require it for signing in? 

Example: If I set up MFA on an account that is not MFA-enabled or MFA-enforced, then MFA is not required to log in, but if I enable MFA for an account, then the user must set up MFA immediately. 

(I hope this makes sense.) A lot of consumer sites make two-factor auth optional but will enforce it after you set it up. 

We want people who are concerned about security to register for and use MFA, but we give a grace period for those resisting the idea.  Thank you.

4 Replies

It depends on how you are configuring MFA. If it's via the MFA portal, the user will have to register after his currently valid token expires. If it's via Conditional access policy, the user will have to register only when it hits some resource that requires MFA.

@Vasil Michev I only want to require MFA if the user has registered for it. Is this possible?

best response confirmed by Roger Seekell (Contributor)
Solution

MFA is not a self-service, you as the admin determine which users require it (either by directly enforcing or using CA policy), and only then the users can register.

OK, that answers my question. Thank you!