Move Identity Protection MFA Registration Policy to Azure AD Free or AADP1
Each customer needs an easy way to request the MFA registration of his employees. With Conditional Access the registration is unfortunately only requested when the employee needs MFA for the first time, but the previous registration would be much better. Therefore, please move the Identity Protection MFA Registration Policy to Azure AD Free or at least AADP1.
Yes security defaults would accomplish this but I have a lot of AADP1 / E3 customers that would like to enforce the enrollment. A workaround would be via SSPR reg policy. The CA policy with user action would only "secure" the registration not enforce it.
Typical case, enforce MFA on non compliant / hybrid join device - the majority of user will never hit MFA due to fulfilling the device requirement but it would still be nice to get them registered not just block the registration from a potential outside attacker
But let's be honest, I don't think the MFA reg policy is the AADP2 / E5 purchase reason - let's get it to Free or P1 - the risk engine is the great stuff in Identity Protection
Also the reg policy gives you the option to skip the registration for 14 days allowing you to balance security and productivity during rollout. Also imagine the user going on a untrusted device for the first time and hitting the MFA req for the first time and then can't register
Alex Weinert (MSFT) commented
In the works for P1 :)