Introduction

Microsoft helps you set up multifactor authentication (MFA) by requiring it for any modern app you sign into through Entra ID Protection. MFA adds an extra security step beyond just a username and password. To use MFA, users first need to register with an app like Microsoft Authenticator.

Nowadays, it is highly recommended that MFA is used for user sign-ins. Based on a Microsoft study, it was determined that MFA-secured accounts are compromised 99% less than those without MFA.

If you do not require MFA for current sign-ins as a result of excludes via Conditional Access Policy (CAP), it is still a good idea to inform the end user of this and ask them to set it up.

Registration policy setup

1. Sign in to the Microsoft Entra admin center with at least Security Administrator permissions
2. Navigate to Protection -> Identity Protection -> Multifactor authentication registration policy
3. Go to Assignments -> Users
4. Under Include, choose either All users or Select individuals and groups to limit the rollout
5. Under Exclude, select Users and groups and pick your organization’s emergency access or break-glass accounts
6. Set Policy enforcement to Enabled
7. Click Save
   

Experience for Users

Microsoft Entra ID Protection will ask your users to register the next time they sign in. They have 14 days to complete this registration. During this time, they can skip registration if MFA isn’t needed, but after 14 days, they must register to finish signing in.

Source: Microsoft Learn – How To: Configure the multifactor authentication registration policy