Cloudbrothers
Azure Attack Paths Posts Categories About me Talks english
Cloudbrothers

Contents

Why the new MFA registration benefits your users

 included in Azure AD Entra ID Identity and Access MFA
   432 words   3 minutes 

The new website for the combined security information registration, as Microsoft officially calls it, allows users to set up MFA and the necessary information for self-service password reset (SSPR).

It is also a prerequisite for setting up FIDO2 security keys, the use of “user actions” in conditional access policies, and will certainly be required for any new two-factor methods.

At first glance, however, these changes do not benefit the individual user.

But especially for firstline workers, i.e. users with only one mobile device, the change brings a greatly improved user experience during the initial setup of MFA.

Legacy mode

The following screenshot shows an example of what setting up a second factor on a mobile device looks like.

/en/new-mfa-registration-experience/images/LegacyMFASetupProcess.png

The process is anything but user-friendly and setting up the Microsoft Authenticator additionally requires manually copying the displayed information into the app. The normal user has been lost at this point at the latest. The option of using the phone number as a second factor is the simplest, since the user does not have to leave the browser.

But even with this solution, the user has to manually adjust the size to be able to see anything at all.

/en/new-mfa-registration-experience/images/AddPhoneNumber.png

New combined registration

Microsoft has learned from customer feedback and designed the new UI so that it can be used on a smartphone without any problems. The interface is modern and intuitive.

/en/new-mfa-registration-experience/images/NewMFASetupProcess.png

It’s a smooth process throughout, even when setting up the Authenticator app. It’s enough to click a link to directly open the Authenticator app and add the account.

/en/new-mfa-registration-experience/images/NewMFAExperience.gif

Important information

For the initial setup, the browser of the smartphone should be used.

During the initial setup via an app such as Teams or Yammer, it is not possible to access the Authenticator app properly from within the workflow on iOS and some Android devices (e.g. Samsung).

Provide your users with the short-link https://aka.ms/mfasetup to ensure the greatest user experience for the initial setup.

The short link https://aka.ms/mysecurityinfo can be used to manage the MFA data set up so far.

Enable combined security information registration experience

The new interface can be enabled in Azure Portal -> “User Settings” -> “Manage user feature preview settings”.

/en/new-mfa-registration-experience/images/UserSettings.png

Just set “Users can use the combined security information registration experience” to “All” and save.

/en/new-mfa-registration-experience/images/CombinedSecurityInformationRegistrationExperience.png

If desired, this can also be tested on a small group of users first. Please note that only one group can be selected. It is therefore recommended to use an extra group.

/en/new-mfa-registration-experience/images/CombinedSecurityInformationRegistrationExperience-GroupOnly.png

Info
As of August 15, 2020, this will be enabled automatically for all new tenants. No further adjustment is possible for these tenants.
Updated on 2021-04-26
Back | Home