Strong authentication registration enforcement - AlexFilipin/ConditionalAccess GitHub Wiki

The base protection includes the following two policies:

Base protection - All apps Require MFA or trusted device or trusted location

Base protection - Register security information Require trusted device or location For internal users

The second policy prevents attackers to perform MFA registration for a user whose username and password are breached. Enable the combined security information registration otherwise the policy to restrict MFA registration will not work. But with these two policies, it is quite possible that employees do not have to register for MFA, as they always fulfill the base protection by a trusted device or trusted location. However, we have to expect that at some point this situation will no longer be the case, the employee will exceptionally work from home or instead of the base protection, for example, a risk-based policy could be triggered. In this case, however, they could not successfully complete the MFA registration, as in this situation they are no longer distinguishable from an attacker and register security information policy may block them.

So we have to think about how to get our employees registered for MFA even though they will very rarely receive MFA queries. The following options are available to us

• Identity Protection Multi-Factor Authentication registration policy - allows the user to skip the registration for up to 14 days but require AADP2
• Azure Active Directory self-service password reset registration settings - user is forced to complete the registration immediately
• Proactive end-user communication - User is not forced, has as much time as they want
• Short term MFA enforcement without exceptions - user is forced to complete the registration immediately
• Prepopulate MFA information with the Microsoft Graph authentication methods API, example community solutions: MSEndpointMgr & Jan Bakker