Introduction:
This is quick post on Azure MFA (multi factor authentication) . Azure MFA is Two-step verification is a method of authentication that requires more than one verification method and adds a critical second layer of security to user sign-ins and transactions. It works by requiring any two or more of the verification methods.
To know more about different methods of setting up Azure MFA ,please read http://eskonr.com/2018/03/different-methods-to-setup-azure-mfa-registration-for-o365/
Problem:
We have enabled MFA for the whole organization (All users) using one step method (easy solution) with Azure Identity protection and also Conditional Access .This one step method help user to configure MFA when they hit o365 at first place. You can also configure MFA using MFA portal by enabling one by one or upload file with all user email address ,but this method is reactive approach (when new user on boarded ,you need to perform this manual step again and again).
Wit this one step solution,we have got all users configured their MFA and everything fine .But recently ,some of the users reported that ,when they login to office 365 portal to update their user settings and also read the activations ,devices etc, they found that, Additional security verification is not available .This Additional security verification option help users to update their MFA settings from the existing configuration what they have.
After looking at the user account MFA status in the azure MFA portal ,it was showing as disabled .So i used powershell to query the MFA status and script tell me ,MFA configured by user.
This happens because ,MFA option was forced by user using Azure Identity protection /Conditional Access but not through MFA portal . Even though MFA option configured by user, MFA portal still show it as disabled.
After enabling the user MFA in MFA portal ,user can see the additional security verification option through https://portal.office.com/
If users wanted to update the MFA settings ,you can guide them to visit https://aka.ms/mfasetup .This will help them to configure additional MFA option which is same as configuring it via office 365 portal.
Conclusion:
If users ask for how to configure/modify the MFA options, guide them to visit https://aka.ms/mfasetup rather spending time to enable the MFA accounts manually or scripted .
Hope it helps!