Enabling MFA in Azure or Office 365, is usually a pretty straight forward thing to do…
But afterwards you have to deal with the users - Who all have to finalize the deployment of MFA by completing the MFA setup wizard found at https://aka.ms/MFASetup.
However, in most large organizations - IT wants to control this process and maybe even which number the MFA text message challenge is sent to, and thus provisions the mobile phone via Active Directory. This however, still requires the users to complete the MFA setup! (even though the user wont have to type any thing, as it will all be pre-populated)
This can be forcefully skipped, by going to the Azure MFA portal and enforcing MFA straight away. Though it won’t work if the users have not been successfully synced to Azure AD with a valid mobile number.
NOTICE: This Guide assumes that you have already enabled MFA in Azure or Office 365, and have the users populated with their Mobile Phone number, in order to receive the MFA text messages or calls. (Official guide here: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-getstarted)
Enforcing MFA through the GUI
First step is to log-on to your tenants Azure AD manager - via https://aad.portal.azure.com and select the “Azure Active Directory”.
Go to the MFA portal, by first clicking on “Users”, and then click the link button to the “Multi-Factor Authentication”.
In the MFA portal, we can search out our test user (you are going to test this before production deployment, right?).
We enforce MFA by ticking the users checkbox, and clicking on the “enable” link that appears on the right, in the “quick steps” section.
HINT: after doing this, the user might still appear as disabled, but a refresh of the page (and a search,_ if it’s a large user list_) will have the listing corrected.
Now tick the users checkbox again, and a set of new options will appear in the “quick steps” section.
Here we want to click on the “Enforce” link, which will tell the system that the user should use MFA right away, with the pre-deployed contact details from out Active Directory.
Again, this will not prevent the system from forcing the user through MFA setup, if the required details are missing from your Active Directory.
That’s it for our test user!
If everything works as expected, you can use the bulk update function, which will allow you to do this for all users via a CSV file.
Enabling through group membership is also possible, but only through the use of Conditional Access (a highly recommended approach), though only available to enterprise level subscriptions.
Last approach would be to do it via PowerShell (which I would do if I didn’t have E3), but Conditional Access is the officially supported way of automating MFA.
During any project to enable “Multi-Factor Authentication” in an organization of any size, please don’t forget to think things through and test, test, test!
You need to consider the user impact first - and how to soften the blow, because we don’t want to impact their productivity.
Consider IP white lists and Conditional Access, to keep things status quo at home, but safer on-the-go.
Do awareness campaigns before putting everyone on enforced MFA.
Microsoft has an excellent site with documentation aimed at end users, this can be a tremendous help in lifting awareness.