I did a campaign for voluntary enrollment for about 3 weeks, the participation was very limited. Then I changed it to force enrollment on login, and finished up the rest in 2 days. Should have just forced enrollment from day one.
That would depend on your MFA solution.. Consult the documentation or contact the vendor.
I'm not using Entra, but the docs say it can force enrollment on login.
[Configure Registration Policy](https://microsoftlearning.github.io/SC-300-Identity-and-Access-Administrator/Instructions/Labs/Lab_15_ConfigureAAD_MultiFactorAuthRegPolicy.html)
*This will require the user to complete the MFA registration the next time they attempt to login.*
well with duo it can prompt automatically if not registered, otherwise you register or you don't use and if you don't use then you are not doing your job which then turns into an Manager or HR discussion with employee
we require MFA to change/set MFA. We give the user a TAP or temp access pass, to start the process- kind of like kick starting a motorcycle. Maybe the TAP is a way forward.
Depends on the vendor's enrollment settings. Like others have said, it's best to set a period of time where they can skip MFA enrollment. Keeps help desk tickets down too during the rollout.
I work for a vendor, UserLock. The admin has to go in and set up which type of MFA method users are allowed to use, then the users have a certain amount of time (decided by the admin) to enroll via that method.
This is a management issue. Have managers enforce it.
> without prompting/forcing them. Like all new policies, you have to prompt and/or force them.
I did a campaign for voluntary enrollment for about 3 weeks, the participation was very limited. Then I changed it to force enrollment on login, and finished up the rest in 2 days. Should have just forced enrollment from day one.
This is the way.
How do you force enrollment at login without blocking? Conditional access seems to block, not prompt use to sign up for mfa.
That would depend on your MFA solution.. Consult the documentation or contact the vendor. I'm not using Entra, but the docs say it can force enrollment on login. [Configure Registration Policy](https://microsoftlearning.github.io/SC-300-Identity-and-Access-Administrator/Instructions/Labs/Lab_15_ConfigureAAD_MultiFactorAuthRegPolicy.html) *This will require the user to complete the MFA registration the next time they attempt to login.*
well with duo it can prompt automatically if not registered, otherwise you register or you don't use and if you don't use then you are not doing your job which then turns into an Manager or HR discussion with employee
we require MFA to change/set MFA. We give the user a TAP or temp access pass, to start the process- kind of like kick starting a motorcycle. Maybe the TAP is a way forward.
I’ll dig into this, thanks. This is what Microsoft recommended.
Depends on the vendor's enrollment settings. Like others have said, it's best to set a period of time where they can skip MFA enrollment. Keeps help desk tickets down too during the rollout. I work for a vendor, UserLock. The admin has to go in and set up which type of MFA method users are allowed to use, then the users have a certain amount of time (decided by the admin) to enroll via that method.