How can we improve Azure Active Directory?

Automatically enable MFA for all members of an Azure AD Group.

Add the ability to automatically enable MFA for all members of an Azure AD group as they are added, in addition ask if MFA should be automatically disabled for users being removed. This could be via an option within the users setting of an Azure AD group.

55 votes
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    Signed in as (Sign out)

    We’ll send you updates on this idea

    Michael Coutanche shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →
    under review  ·  AdminAzure AD Team (Admin, Microsoft Azure) responded  · 

    Today, you can use conditional access to enforce MFA on a per-group basis. This is Microsoft’s recommended enforcement model.
    We will be updating the per-user enforcement of MFA to more closely match how conditional access works, but this is still in the design phase.

    Richard

    7 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)
      Submitting...
      • Anonymous commented  ·   ·  Flag as inappropriate

        Conditional Access doesn't really help when it comes to user provisioning. The should be a global setting, enabling MFA for either All or selected Groups. And why cannot we pre-provision the MFA method already when the user is created, why we have to do it retrospectively AFTER the user is created?

      • AdminAzure AD Team (Admin, Microsoft Azure) commented  ·   ·  Flag as inappropriate

        Today, you can use conditional access to enforce MFA on a per-group basis. This is Microsoft's recommended enforcement model.
        We will be updating the per-user enforcement of MFA to more closely match how conditional access works, but this is still in the design phase.

      • Robert Boyle commented  ·   ·  Flag as inappropriate

        It is completely nuts that this isn't a basic feature of MFA. The fact that it has to be enabled per user is just crazy.

      • quaid commented  ·   ·  Flag as inappropriate

        OMG comeon, this is a no brainer, has this been added yet?? It should be built.

      • KjetilEVRY commented  ·   ·  Flag as inappropriate

        Absolutely, this is a must for large enterprises. And even better, make it easy to enforce a method also (ie SMS/call/app notification) already, so we don't have to run a scheduled PS script to enforce this.

      • Gururaj Pandurangi commented  ·   ·  Flag as inappropriate

        +1 for this.

        Specially for 'Owners' and 'Subscription co-admins'.
        Compliance policies require us to do that.

        1) Please have MFA work with basic Azure AD (i.e. no Premium plans).
        2) Allow to work with Azure AD application (even with Premium plans, the MFA are tied only to users, not AD App/Service Principals)

      Feedback and Knowledge Base