35 votesDusty Snider commented
Yes Microsoft absolutely needs this option. I just got into a long discussion with an engineer in Washington that setting the user to "Enabled" and having them be forced to do setup MFA before they can login the next time is not feasible in a large rollout.
My planned "unsupported" workaround:
Send out email to all users with this link https://aka.ms/MFASetup asking them to register their device.
Wait a period of 2-4 weeks for any questions about MFA and to register.
Use powershell scripts in this link to see how many people have "pre-registered" - https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-manage-reports
Once above script confirms a decent "pre-registered" state, email everyone to remind them the change is coming and will be mandatory. Wait a few more days.
Change users from Disabled to Enabled in Azure MFA.
Users will simply be prompted on their "pre-registered" device for MFA without having to go through the initial setup like they would have if you "cold-turkey" enabled them. All people who ignored emails will be forced by IT has done the CYA about the rollout by communicated to everyone.
If above works I'll submit my resume to Microsoft since they are obviously in need of people who have actually rolled out technology to the masses before.