I suggest you ...

users want to set up the MFA Setup Wizard later

In the MFA release plan of a large company, thousands users are impossible to actually "force" from the day.

So, the user needs a period which setting for the MFA can be skipped, before force setting period.

In the period, it provide a selection such as "set up later" in the MFA setting wizard at the initial sign-in.

if someone did not have a mobile device on that day,
if someone wants to ask questions about MFA, etc...
they can not access any Office 365.
becouse, even if you set a policy to skip MFA on the LAN, the MFA Setup Wizard will be forced.
As a result, Organization is subjected to a large negative impact!

30 votes
Vote
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    Tanimura shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

    1 comment

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)
      Submitting...
      • Dusty Snider commented  ·   ·  Flag as inappropriate

        Yes Microsoft absolutely needs this option. I just got into a long discussion with an engineer in Washington that setting the user to "Enabled" and having them be forced to do setup MFA before they can login the next time is not feasible in a large rollout.

        My planned "unsupported" workaround:

        Send out email to all users with this link https://aka.ms/MFASetup asking them to register their device.

        Wait a period of 2-4 weeks for any questions about MFA and to register.

        Use powershell scripts in this link to see how many people have "pre-registered" - https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-manage-reports

        Once above script confirms a decent "pre-registered" state, email everyone to remind them the change is coming and will be mandatory. Wait a few more days.

        Change users from Disabled to Enabled in Azure MFA.

        Users will simply be prompted on their "pre-registered" device for MFA without having to go through the initial setup like they would have if you "cold-turkey" enabled them. All people who ignored emails will be forced by IT has done the CYA about the rollout by communicated to everyone.

        If above works I'll submit my resume to Microsoft since they are obviously in need of people who have actually rolled out technology to the masses before.

      Feedback and Knowledge Base