ID-01: Driving User MFA Registration

Overview

Multi-Factor Authentication (MFA) is the single most effective control for preventing account compromise. However, enabling MFA policies is only half the battle - users must actually register their authentication methods before they are protected. This guide covers strategies for driving MFA registration adoption across your organization, from registration campaigns to nudge policies.

Why This Matters: Even with MFA policies enabled, users without registered authentication methods remain vulnerable. Microsoft reports that 99.9% of account compromise attacks are stopped by MFA, but only when users have completed registration.


Prerequisites

Required Roles

  • Global Administrator or Authentication Policy Administrator - to configure authentication method policies
  • User Administrator - to view registration status
  • Reports Reader - to monitor registration progress

License Requirements

FeatureLicense
Basic MFA and Authenticator registrationMicrosoft 365 E3 / Business Premium (or free with Security Defaults)
Registration campaigns (nudges)Microsoft Entra ID P2
Authentication methods activity reportsMicrosoft Entra ID P1
Conditional Access for registration enforcementMicrosoft Entra ID P1

Pre-Checks

  1. Verify your current MFA registration status at: Entra admin center > Protection > Authentication methods > Activity
  2. Identify which authentication methods are enabled for your organization
  3. Confirm you have a communication plan for users

Time Estimate

TaskDuration
Review current registration status15 minutes
Configure authentication method policies30 minutes
Set up registration campaigns (if P2)20 minutes
Create user communications1-2 hours
Monitor and follow-upOngoing

Total initial setup: 2-3 hours


Step-by-Step Instructions

Step 1: Review Current Registration Status

Navigation: Entra admin center > Protection > Authentication methods > Activity

  1. Sign in to the Microsoft Entra admin center

  2. Navigate to Protection > Authentication methods

  3. Click the Activity tab

  4. Review the Registration tab:

    • Users capable of MFA - Users with at least one MFA method registered
    • Users registered for SSPR - Users who can reset their own passwords
    • Users capable of passwordless - Users with FIDO2 or Authenticator passkeys
  5. Export the list of users not capable of MFA:

    • Click Users registered for MFA to view details
    • Filter for users with "No" in the MFA capable column
    • Export to CSV for follow-up communications

Step 2: Enable Recommended Authentication Methods

Navigation: Entra admin center > Protection > Authentication methods > Policies

  1. Navigate to Protection > Authentication methods > Policies
  2. Enable the following methods (in order of security):

Microsoft Authenticator (Recommended)

  1. Click Microsoft Authenticator
  2. Set Enable to Yes
  3. Under Target, select All users or specific groups
  4. Under Configure, enable:
    • Allow use of Microsoft Authenticator OTP - Yes
    • Require number matching for push notifications - Enabled
    • Show application name in push and passwordless notifications - Enabled
    • Show geographic location in push and passwordless notifications - Enabled
  5. Click Save

FIDO2 Security Keys (Optional - for higher security)

  1. Click FIDO2 security key
  2. Set Enable to Yes
  3. Target appropriate user groups (start with admins)
  4. Configure key restrictions if needed
  5. Click Save

Step 3: Configure the Registration Campaign (Requires P2)

Navigation: Entra admin center > Protection > Authentication methods > Registration campaign

Registration campaigns prompt users to set up the Microsoft Authenticator app during sign-in.

  1. Navigate to Protection > Authentication methods > Registration campaign
  2. Set State to Enabled
  3. Configure the following settings:

Days allowed to snooze:

  • Recommended: 14 days for initial rollout
  • After adoption stabilizes: 3 days or 0 (no snooze)

Target users and groups:

  • Select All users for organization-wide rollout, OR
  • Select specific groups for phased rollout

Excluded users and groups:

  • Add break-glass/emergency access accounts
  • Add service accounts that cannot use MFA
  • Add users with accessibility accommodations
  1. Click Save

User Experience: Users will see a prompt during sign-in asking them to set up Microsoft Authenticator. They can snooze the prompt for the configured number of days.

Step 4: Use Conditional Access to Enforce Registration

For users who continue to skip registration, use Conditional Access to require registration before accessing resources.

Navigation: Entra admin center > Protection > Conditional Access > Policies

  1. Click + Create new policy
  2. Name: Require MFA Registration - Enforcement
  3. Assignments:
    • Users: Include - All users
    • Exclude:
      • Emergency access accounts
      • Guest users (handle separately)
      • Service accounts
  4. Target resources:
    • Select All cloud apps
  5. Conditions:
    • User risk: Not configured (or configure based on needs)
  6. Grant:
    • Select Grant access
    • Check Require multifactor authentication
  7. Session: Leave default
  8. Set Enable policy to Report-only first
  9. Click Create

Important: Test in report-only mode for 1-2 weeks before enforcing. Review the sign-in logs to identify users who would be blocked.

Step 5: Send User Communications

Create clear, helpful communications for users:

Email Template - Initial Announcement:

Subject: Action Required: Set Up Multi-Factor Authentication by [DATE]

Dear [Name],

To protect your account and our organization's data, you must set up
Multi-Factor Authentication (MFA) by [DATE].

What is MFA?
MFA adds a second layer of security beyond your password. Even if someone
obtains your password, they cannot access your account without your second factor.

What you need to do:
1. Download Microsoft Authenticator on your phone:
   - iPhone: https://apps.apple.com/app/microsoft-authenticator/id983156458
   - Android: https://play.google.com/store/apps/details?id=com.azure.authenticator

2. Visit https://aka.ms/mysecurityinfo and sign in with your work account

3. Click "Add sign-in method" and select "Authenticator app"

4. Follow the on-screen instructions to link the app to your account

Need help?
- Watch our setup video: [LINK]
- Contact IT support: [EMAIL/PHONE]
- Attend a drop-in session: [DATE/TIME/LOCATION]

This setup takes about 5 minutes and significantly improves your account security.

Thank you for helping keep our organization secure.

[IT Team]

Step 6: Monitor Registration Progress

Navigation: Entra admin center > Protection > Authentication methods > Activity

  1. Check registration progress weekly during rollout
  2. Track the following metrics:
    • Percentage of users MFA capable
    • Registration campaign snooze rates
    • Authentication method distribution

Create a tracking spreadsheet:

WeekTotal UsersMFA Capable% RegisteredChange
Week 150035070%Baseline
Week 250042084%+14%

Step 7: Follow Up with Non-Compliant Users

For users who have not registered after the campaign:

  1. Direct outreach: Send personalized emails or have managers follow up
  2. Offer assistance: Schedule 1:1 help sessions
  3. Escalate if needed: Involve HR for policy enforcement
  4. Consider enforcement: Enable the Conditional Access policy to block non-compliant users

Verification Checklist

After completing the setup, verify:

  • Authentication methods policy shows Microsoft Authenticator enabled
  • Registration campaign is enabled (if P2 licensed)
  • Emergency access accounts are excluded from registration requirements
  • User communications have been sent
  • Registration progress is being tracked weekly
  • Conditional Access policy is in report-only mode for testing
  • Support documentation is available for users
  • Help desk is prepared to assist users with registration

Troubleshooting

Users Cannot Register

Problem: User sees "You cannot set up this authentication method" error

Solutions:

  1. Verify the authentication method is enabled for the user's group
  2. Check if the user has a valid license
  3. Ensure the user is not blocked by a Conditional Access policy
  4. Verify the user's account is not disabled

Authenticator App Not Working

Problem: User's Authenticator app shows notifications but they fail

Solutions:

  1. Ensure the user has internet connectivity on their phone
  2. Check that the phone's time is synchronized automatically
  3. Have the user remove and re-add the account in Authenticator
  4. Verify number matching is displaying correctly

Registration Campaign Not Appearing

Problem: Users are not seeing the registration prompt

Solutions:

  1. Verify the registration campaign is set to "Enabled"
  2. Check that the user is in the target group
  3. Ensure the user is not in an excluded group
  4. Wait up to 24 hours for policy propagation

High Snooze Rates

Problem: Users are repeatedly snoozing the registration prompt

Solutions:

  1. Reduce the snooze period (set to 3 days or 0)
  2. Send additional communications explaining importance
  3. Have management reinforce the requirement
  4. Consider enabling the Conditional Access enforcement policy

Service Accounts and Break-Glass

Problem: Service accounts are being prompted for MFA

Solutions:

  1. Add service accounts to the exclusion group
  2. Use managed identities instead of service accounts where possible
  3. Document all excluded accounts and review quarterly

Cost Considerations

Licensing Costs

FeatureLicense RequiredApproximate Cost/User/Month
Basic MFAIncluded with M365$0
Registration campaignsEntra ID P2~$9
Advanced analyticsEntra ID P1~$6

Hardware Costs (Optional)

If deploying FIDO2 security keys:

  • Basic FIDO2 keys: $20-30 per key
  • Advanced keys (fingerprint): $50-70 per key
  • Recommended: 2 keys per privileged user

Time Investment

  • Initial setup: 2-3 hours (IT admin)
  • User registration: 5-10 minutes per user
  • Help desk increase: Plan for 20-30% increase in tickets during rollout
  • Ongoing monitoring: 1-2 hours per week during rollout

Related Controls


Additional Resources