Enforce MFA for specific users

Question

Hi,

we're using MS Entra and we would like enable users to opt in for MFA (SMS verification) and to enforce MFA for Admins. Is there a way to do it without creating custom policies?

We were thinking about creating two custom groups with one of them enrolled for MFA and second one without.

What do you recommend ?

Answer 1

Hi @Jiri Kolarik , yes you can do this without creating custom policies.

For your admins, you can enforce MFA by enabling it for all sign-in attempts on the Microsoft Entra Admin Center. This is similar to the enforcement on the Azure and Intune portals.

To enable users to opt-in for MFA, including SMS verification, you can use the registration campaign feature in Microsoft Entra. This feature allows you to prompt users to set up MFA during sign-in, and you can control who gets prompted by including or excluding specific users or groups.

Creating two custom groups, one enrolled for MFA and one without, is a practical approach. You can manage these groups using the Azure AD portal and enable MFA for all members of the enrolled group.

While you mentioned not wanting to create custom policies, using Conditional Access policies can provide more granular control over MFA enforcement. You can create policies that require MFA for specific groups or users based on various conditions like location, device, and risk level.

Please let me know if you have any questions and I can help you further.

If this answer helps you please mark "Accept Answer" so other users can reference it.

Thank you,

James