Categories: Azure ADOffice 365

Enabling Microsoft MFA for users in the organization – without user interaction

4 min read

NB: Be aware that the only truly secure MFA solution from Microsoft is the Authenticatior APP.

UPDATE: There is a new combined user registration process in preview. this greatly enhances the user experience. Read about the concept @
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-registration-mfa-sspr-combined

Something you know + Something you have = Access

MFA = Multi-Factor Authentication, should be a well know concept to any IT department. And enabling MFA is usually a pretty straight forward thing to do – because most of it is user driven.

But… afterwards you have to deal with the users who are not so tech savvy….

Who all have to finalize the deployment of MFA by completing the MFA setup wizard found at https://aka.ms/MFASetup

However… in most large organizations, IT wants/needs to control this process.

They might even want to control the phone number that the MFA challenge is sent to. And thus provisions the mobile phone via Active Directory. This however, still requires the users to complete the MFA setup wizard! (even though the user wont have to type any thing, as it will all be pre-populated)

This can be forcefully skipped, by going to the Azure MFA portal and enforcing MFA straight away. Though it won’t work if the users have not been successfully synced to Azure AD with a valid mobile number.

This guide assumes you want to start with text based MFA. The better option would be, to use the Microsoft Authenticator App. But that is not something that you can forcefully deploy without any user interaction (at the time of writing).


NB: This Guide assumes that you have already enabled MFA in Azure or Office 365. And that you have the users accounts populated with their Mobile Phone number. (Official guide here: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-getstarted)

Enforcing MFA through the GUI

First step is to log-on to your tenants Azure AD manager – via https://aad.portal.azure.com and select the “Azure Active Directory“.

Azure AD Portal

Go to the MFA portal, by first clicking on “Users“, and then click the link button to the “Multi-Factor Authentication“.

Getting to the MFA Portal

OK! Step 1 : In the MFA portal, we search for our test user.

You are going to test this before production deployment, right?

Step 2: Now we enforce MFA by ticking the checkbox next to the display name. Then clicking on the “enable” link that appears on the right, in the “quick steps” section.

The Multi-factor authentication Portal

HINT: After step 2, the user might still appear as disabled. A refresh of the page, and a search (if it’s a large user list) will have the listing corrected.

Step 3: Now tick the users checkbox again. A set of new options will appear in the “quick steps” section…
Click on the “Enforce” link.

Quick steps menu in the MFA portal

This will tell the system, that the user should use MFA right away. Utilizing the pre-deployed contact details, from your Active Directory.

This will not prevent the system from forcing the user through the MFA setup wizard.
If the required details are missing from your Active Directory / the user account.
So make sure you have your AAD sync in order.

That’s it for our test account! (you did use a test account right?)

If everything works as expected; you can use the bulk update function. This will allow you to do this for all users via a CSV file.

You can utilize Conditional Access in Azure AD to enable MFA based on group membership (a highly recommended approach). Requires a Azure AD P1 plan though…

Final words

During any project to enable “Multi-Factor Authentication” in an organization of any size; please don’t forget to think things through and test, test, test!

Please consider the user impact first – and how to soften the blow, because we don’t want to impact their productivity.

And we most certainly do NOT whant users to become numb to the MFA process!

Consider IP white lists and Conditional Access, to keep things status quo at home, but safer on-the-go.

Do awareness campaigns before putting everyone on enforced MFA.
Microsoft has an excellent site with documentation aimed at end users, this can be a tremendous help in lifting awareness.
https://docs.microsoft.com/en-us/azure/active-directory/user-help/multi-factor-authentication-end-user

Thanks for reading!

Please follow/like etc. on twitter, @michael_mardahl

Michael Mardahl

Michael works as a Cloud Architect with APENTO in Denmark. Specializing in customer journeys from classic Infrastructure to Cloud consumption. He has been in the IT industry for more than 20 years, and has experience from a broad range of IT projects. When not at work, Michael enjoys the value of spending time with family and friends, and BLOG's passionately about Enterprise Mobility whenever he has time to spare.

Recent Posts

Passwordless journey with FIDO2 – Part 3 – Engine troubles

After a few months away from bloggin because family and holiday and one self is important to tend to, I…

5 years ago

Conditional Access and the woes of being an external user

Conditional Access and multi tenancy can be tough on anyone... (more…)

5 years ago

Passwordless journey with FIDO2 – Part 2 – Usage experiences

Continuing my ongoing series on passwordless with Azure AD and FIDO2... The story continues on SCConfigMgr.com... :) https://www.scconfigmgr.com/2019/11/18/passwordless-journey-with-fido2-part-2-usage-experiences/

5 years ago

Passwordless journey with FIDO2 – Part 1 – Getting started with security keys

Passwordless with FIDO2 is becoming a real option for enterprises that are adopting the cloud. In this guest blog post…

5 years ago

Unattended access to Exchange Online using a privileged account with MFA enforced

I published a PowerShell Gallery script, that will get you through this headache in a jiffy. (more…)

5 years ago

2 Cool new password policy features in Azure AD Connect

Enabling preview features in Azure AD to extend your on-prem password policy to Azure AD. (more…)

5 years ago

This website uses cookies to track views anonymously with analytics.