ID-01: Driving User MFA Registration
Overview
Multi-Factor Authentication (MFA) is the single most effective control for preventing account compromise. However, enabling MFA policies is only half the battle - users must actually register their authentication methods before they are protected. This guide covers strategies for driving MFA registration adoption across your organization, from registration campaigns to nudge policies.
Why This Matters: Even with MFA policies enabled, users without registered authentication methods remain vulnerable. Microsoft reports that 99.9% of account compromise attacks are stopped by MFA, but only when users have completed registration.
Prerequisites
Required Roles
- Global Administrator or Authentication Policy Administrator - to configure authentication method policies
- User Administrator - to view registration status
- Reports Reader - to monitor registration progress
License Requirements
| Feature | License |
|---|---|
| Basic MFA and Authenticator registration | Microsoft 365 E3 / Business Premium (or free with Security Defaults) |
| Registration campaigns (nudges) | Microsoft Entra ID P2 |
| Authentication methods activity reports | Microsoft Entra ID P1 |
| Conditional Access for registration enforcement | Microsoft Entra ID P1 |
Pre-Checks
- Verify your current MFA registration status at: Entra admin center > Protection > Authentication methods > Activity
- Identify which authentication methods are enabled for your organization
- Confirm you have a communication plan for users
Time Estimate
| Task | Duration |
|---|---|
| Review current registration status | 15 minutes |
| Configure authentication method policies | 30 minutes |
| Set up registration campaigns (if P2) | 20 minutes |
| Create user communications | 1-2 hours |
| Monitor and follow-up | Ongoing |
Total initial setup: 2-3 hours
Step-by-Step Instructions
Step 1: Review Current Registration Status
Navigation: Entra admin center > Protection > Authentication methods > Activity
-
Sign in to the Microsoft Entra admin center
-
Navigate to Protection > Authentication methods
-
Click the Activity tab
-
Review the Registration tab:
- Users capable of MFA - Users with at least one MFA method registered
- Users registered for SSPR - Users who can reset their own passwords
- Users capable of passwordless - Users with FIDO2 or Authenticator passkeys
-
Export the list of users not capable of MFA:
- Click Users registered for MFA to view details
- Filter for users with "No" in the MFA capable column
- Export to CSV for follow-up communications
Step 2: Enable Recommended Authentication Methods
Navigation: Entra admin center > Protection > Authentication methods > Policies
- Navigate to Protection > Authentication methods > Policies
- Enable the following methods (in order of security):
Microsoft Authenticator (Recommended)
- Click Microsoft Authenticator
- Set Enable to Yes
- Under Target, select All users or specific groups
- Under Configure, enable:
- Allow use of Microsoft Authenticator OTP - Yes
- Require number matching for push notifications - Enabled
- Show application name in push and passwordless notifications - Enabled
- Show geographic location in push and passwordless notifications - Enabled
- Click Save
FIDO2 Security Keys (Optional - for higher security)
- Click FIDO2 security key
- Set Enable to Yes
- Target appropriate user groups (start with admins)
- Configure key restrictions if needed
- Click Save
Step 3: Configure the Registration Campaign (Requires P2)
Navigation: Entra admin center > Protection > Authentication methods > Registration campaign
Registration campaigns prompt users to set up the Microsoft Authenticator app during sign-in.
- Navigate to Protection > Authentication methods > Registration campaign
- Set State to Enabled
- Configure the following settings:
Days allowed to snooze:
- Recommended: 14 days for initial rollout
- After adoption stabilizes: 3 days or 0 (no snooze)
Target users and groups:
- Select All users for organization-wide rollout, OR
- Select specific groups for phased rollout
Excluded users and groups:
- Add break-glass/emergency access accounts
- Add service accounts that cannot use MFA
- Add users with accessibility accommodations
- Click Save
User Experience: Users will see a prompt during sign-in asking them to set up Microsoft Authenticator. They can snooze the prompt for the configured number of days.
Step 4: Use Conditional Access to Enforce Registration
For users who continue to skip registration, use Conditional Access to require registration before accessing resources.
Navigation: Entra admin center > Protection > Conditional Access > Policies
- Click + Create new policy
- Name:
Require MFA Registration - Enforcement - Assignments:
- Users: Include - All users
- Exclude:
- Emergency access accounts
- Guest users (handle separately)
- Service accounts
- Target resources:
- Select All cloud apps
- Conditions:
- User risk: Not configured (or configure based on needs)
- Grant:
- Select Grant access
- Check Require multifactor authentication
- Session: Leave default
- Set Enable policy to Report-only first
- Click Create
Important: Test in report-only mode for 1-2 weeks before enforcing. Review the sign-in logs to identify users who would be blocked.
Step 5: Send User Communications
Create clear, helpful communications for users:
Email Template - Initial Announcement:
Subject: Action Required: Set Up Multi-Factor Authentication by [DATE]
Dear [Name],
To protect your account and our organization's data, you must set up
Multi-Factor Authentication (MFA) by [DATE].
What is MFA?
MFA adds a second layer of security beyond your password. Even if someone
obtains your password, they cannot access your account without your second factor.
What you need to do:
1. Download Microsoft Authenticator on your phone:
- iPhone: https://apps.apple.com/app/microsoft-authenticator/id983156458
- Android: https://play.google.com/store/apps/details?id=com.azure.authenticator
2. Visit https://aka.ms/mysecurityinfo and sign in with your work account
3. Click "Add sign-in method" and select "Authenticator app"
4. Follow the on-screen instructions to link the app to your account
Need help?
- Watch our setup video: [LINK]
- Contact IT support: [EMAIL/PHONE]
- Attend a drop-in session: [DATE/TIME/LOCATION]
This setup takes about 5 minutes and significantly improves your account security.
Thank you for helping keep our organization secure.
[IT Team]
Step 6: Monitor Registration Progress
Navigation: Entra admin center > Protection > Authentication methods > Activity
- Check registration progress weekly during rollout
- Track the following metrics:
- Percentage of users MFA capable
- Registration campaign snooze rates
- Authentication method distribution
Create a tracking spreadsheet:
| Week | Total Users | MFA Capable | % Registered | Change |
|---|---|---|---|---|
| Week 1 | 500 | 350 | 70% | Baseline |
| Week 2 | 500 | 420 | 84% | +14% |
Step 7: Follow Up with Non-Compliant Users
For users who have not registered after the campaign:
- Direct outreach: Send personalized emails or have managers follow up
- Offer assistance: Schedule 1:1 help sessions
- Escalate if needed: Involve HR for policy enforcement
- Consider enforcement: Enable the Conditional Access policy to block non-compliant users
Verification Checklist
After completing the setup, verify:
- Authentication methods policy shows Microsoft Authenticator enabled
- Registration campaign is enabled (if P2 licensed)
- Emergency access accounts are excluded from registration requirements
- User communications have been sent
- Registration progress is being tracked weekly
- Conditional Access policy is in report-only mode for testing
- Support documentation is available for users
- Help desk is prepared to assist users with registration
Troubleshooting
Users Cannot Register
Problem: User sees "You cannot set up this authentication method" error
Solutions:
- Verify the authentication method is enabled for the user's group
- Check if the user has a valid license
- Ensure the user is not blocked by a Conditional Access policy
- Verify the user's account is not disabled
Authenticator App Not Working
Problem: User's Authenticator app shows notifications but they fail
Solutions:
- Ensure the user has internet connectivity on their phone
- Check that the phone's time is synchronized automatically
- Have the user remove and re-add the account in Authenticator
- Verify number matching is displaying correctly
Registration Campaign Not Appearing
Problem: Users are not seeing the registration prompt
Solutions:
- Verify the registration campaign is set to "Enabled"
- Check that the user is in the target group
- Ensure the user is not in an excluded group
- Wait up to 24 hours for policy propagation
High Snooze Rates
Problem: Users are repeatedly snoozing the registration prompt
Solutions:
- Reduce the snooze period (set to 3 days or 0)
- Send additional communications explaining importance
- Have management reinforce the requirement
- Consider enabling the Conditional Access enforcement policy
Service Accounts and Break-Glass
Problem: Service accounts are being prompted for MFA
Solutions:
- Add service accounts to the exclusion group
- Use managed identities instead of service accounts where possible
- Document all excluded accounts and review quarterly
Cost Considerations
Licensing Costs
| Feature | License Required | Approximate Cost/User/Month |
|---|---|---|
| Basic MFA | Included with M365 | $0 |
| Registration campaigns | Entra ID P2 | ~$9 |
| Advanced analytics | Entra ID P1 | ~$6 |
Hardware Costs (Optional)
If deploying FIDO2 security keys:
- Basic FIDO2 keys: $20-30 per key
- Advanced keys (fingerprint): $50-70 per key
- Recommended: 2 keys per privileged user
Time Investment
- Initial setup: 2-3 hours (IT admin)
- User registration: 5-10 minutes per user
- Help desk increase: Plan for 20-30% increase in tickets during rollout
- Ongoing monitoring: 1-2 hours per week during rollout
Related Controls
- ID-02: Legacy Authentication Blocked - Block protocols that bypass MFA
- ID-04: Passwordless Authentication - Enable more secure authentication methods
- CA-01: Baseline MFA Policy - Enforce MFA via Conditional Access
- PA-05: Phishing-Resistant MFA - Require stronger MFA for admins