Disable MFA 14 day grace period?

New Contributor
Hi,

Just looking for some advice here...
Is it possible to disable/remove the 14 day "grace period" for MFA registration for new users?

Premium subscription being used. Customer wants all new users to be forced to set up MFA when they first log in and not allow them to skip for 14 days.

I can't find anywhere to disable this? Security defaults is not enabled. A 3rd party service is being used for SSPR.

Thanks.
4 Replies

@luke_m137 

You need Identity Protection in order to get the 14-day grace period, and Identity Protection requires an Azure AD Premium P2 license. If you are premium user then MFA will be enforced once you enable MFA via conditional access then the user cannot bypass it 

https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protec...

This is discussed by a content author in this Github issue:

Security defaults will trigger a 14 day grace period for registration after a user's first login and security defaults being enabled. After 14 days users will be required to register for MFA and will not be able to skip.

Conditional Access by itself without Azure Identity Protection does not allow for the 14 day grace period. Identity Protection includes the registration policy that allows registration on its own with no apps assigned to the policy. If a Conditional Access policy requires Multi-Factor Authentication then the user must be able to pass that MFA request.

Hi Luke,

You could use Azure AD Conditional Access to enforce MFA when users access O365 from an untrusted network. This was users will be forced to register for MFA as soon as they access 365 resources.

You could also enforce MFA registration from the trusted network only. This way users will be able to access O365 only after registering MFA and only from the trusted network.
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-registration-mfa-sspr-c...

I hope it helps
Antons

Hi @Chandrasekhar_Arya 

 

Thank you for your response, however, this isn't what I'm looking for.

I stated in my post that the organization does not use security defaults and they are already on a Premium subscription for Azure.

 

We want to enforce MFA registration immediately.

We don't want users to have the option to defer registration for 14 days.

 

Current behaviour: User logs in for first time - has option "skip for now (14 days until this is required)"

Desired behaviour: User logs in for first time - has to set up MFA to continue.

Hi @Antons Bukels 

 

Thanks for your reply.

 

"You could use Azure AD Conditional Access to enforce MFA when users access O365 from an untrusted network."

I believe this is already configured, and what we are seeing is not many people are registering because not many are accessing M365 outside of work or outside of trusted devices/networks so that is why they are looking at this alternative...

 

"You could also enforce MFA registration from the trusted network only. This way users will be able to access O365 only after registering MFA"

Could potentially be an option however you went on to say "and only from the trusted network."

 

What do you mean "and only from the trusted network"?

 

Do you mean that they would be forced to register while connected to the trusted network and then they would be unable to access M365 services from outside of the trusted network once registered? 

 

Or they would be forced to register, but they will be able to access from anywhere that Conditional Access policies permit once they have registered for MFA?

 

I don't want a scenario where users are forced to register for MFA and then can't do something like logging on to OWA on their home PC for example. That would not be ideal.

 

Look forward to hearing from you regarding that suggestion further. Thanks!!