Home

AAD IDP MFA Registration Doesn't Fully Enable MFA

Nathan Buuck
Occasional Visitor

Hi all,

 

I wanted to highlight a peculiarity in using an MFA Registration Policy in Azure AD Identity Protection (AAD IDP). While adding a user or a group to a policy does require them to register for AAD MFA during their next sign-on to the O365 portal, it does not actually mark the user as Enabled when observed via https://account.activedirectory.windowsazure.com/UserManagement/MultifactorVerification.aspx. This results in the user not receiving a default, automatically-generated App Password after a successful registration. This also prevents the user from creating additional App Passwords; the link to AppPasswords.aspx is hidden and manually navigating to that URL and attempting to create a new App Password will generate an error.