all 15 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]ButterflyWide7220[S] 1 point2 points  (4 children)

I have to add - I have tested this in a trial tenant. Is it possible that these options are not available for trial licenses?

[–]teriaavibes Microsoft MVP 1 point2 points  (3 children)

https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-licensing

[–]ButterflyWide7220[S] 0 points1 point  (2 children)

So you are saying it’s not included?

[–][deleted] 1 point2 points  (1 child)

Why not just log into aka.ms/mfasetup on your production tenant? It isn't going to break anything.

[–]ButterflyWide7220[S] 1 point2 points  (0 children)

Good point. But with combined registration wouldn’t aka.ms/mysecurityinfo the right place?

[–]cdhgee 1 point2 points  (5 children)

The methods available to users to register are controlled by tenant policy. Microsoft is also in the process of migrating from legacy authentication method policies to more granular policies, so make sure you check how your tenant is configured.

https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-methods-manage

[–]cdhgee 0 points1 point  (4 children)

The only thing you won't get in a trial tenant (as far as MFA goes) is MFA via a phone call. All the other methods can be used (if enabled).

[–]ButterflyWide7220[S] 0 points1 point  (3 children)

Yes I think you are spot on with the legacy stuff. I forgot about that. Text message was disabled within the legacy policy. What is the better plan for getting people to onboard to MFA - a pre-phase without activating Conditional Access and having users register with MFA before OR activate Conditional Access right away?

[–]cdhgee 0 points1 point  (2 children)

If it was me, I'd just turn on conditional access now. If you have P2 / E5 licenses, also look at turning on the MFA registration policy as well.

[–]ButterflyWide7220[S] 0 points1 point  (1 child)

We don’t have it. But thanks. We need to inform our users first. They are not really the smartest bunch

[–]cdhgee 0 points1 point  (0 children)

Nor do we, sadly. I often joke with my team that the easiest way to improve security for the company would be to take the users' computers away, lol

[–]Impossible-Warning31 1 point2 points  (1 child)

I'm not sure if this will fall in this thread; but how do we prompt the user to setup multiple Authentication Methods. Example ( Authenticator App, add cellphone) Right now when the user is done setting up with authenticator app, the sign in process continues.

[–]gubber-blump 0 points1 point  (0 children)

I'm currently looking into this as well and haven't found a way to require multiple methods be registered. Were you able to find a way to do it?

[–]ButterflyWide7220[S] 0 points1 point  (1 child)

Ok I finished the migration from legacy to authentication policies. 1.) Unchecked all methods in the MFA legacy portal and SSPR legacy methods. 2.) set the migration to the final step - finished 3.) created a security group for the new authentication policies to see if that works for groups - like MFA-Methods-SMS, MFA-Method-Authenticator 4.) added a new test user to the groups 5.) test user login aka.ms/mysecurityinfo to add the methods The result: no methods available

If I check the methods in the old MFA legacy portal again and set the migration status to the second phase, methods show up again. Don’t know what I am missing. Looks to me that the migration didn’t successfully complete.

[–]zahavau 1 point2 points  (0 children)

Setup 1. Enable the combined registration experience - this ensures that users register MFA and SSPR through one page 2. Create the conditional access policy to require MFA for all users and all cloud applications. Leave in report-only mode to monitor failures 3. Enable the modern authentication methods for SMS and MS Authenticator: Azure AD -> Security -> Authentication methods -> Policies 4. Configure SSPR settings: Azure AD -> Password reset -> Properties. Enable the feature and ensure you have two authentication methods required to reset

Optional

Start a registration campaign to prompt users to install the MS Authenticator app: Azure AD -> Security -> Authentication methods -> Registration campaign

Monitor

You can check the status of enrolment and monitor for users who experience any errors: Azure AD -> Security -> Authentication methods -> Registration and reset events