Skip to content

Enable MFA without 14-day delay for a MS365 user without conditional access policy

Introduction

The use of multi-factor authentication (MFA) is becoming one of the most effective tools for enhancing the security of cloud service access. Microsoft 365 offers various types of MFA, and there are 3 ways to configure MFA for an MS365 user: manual configuration in the MS365 admin interface, configuration with the “security defaults” policy applied by default on tenants, and the use of “conditional access policies.”

For more details on these methods, here is the Microsoft documentation: https://learn.microsoft.com/en-us/microsoft-365/business-premium/m365bp-turn-on-mfa?view=o365-worldwide&tabs=secdefaults

By using “conditional access” policies, MFA will be strictly required for each login that is targeted by the rule. This method is therefore the most secure but requires a Microsoft Entra ID P1 or P2 license. Without such a license, only the first two methods can be used, and in this case, several issues may arise: When MFA is activated for a user (not an admin), they have 14 days to set up their MFA; during these 14 days, they can log in with just their username and password. After, once MFA is active, it is not necessarily required all the time because the “security defaults” policy applies the rule “challenging users with MFA, mostly when they show up on a new device or app, but more often for critical roles and tasks”. Thus, without a Microsoft Entra ID P1 or P2 license, MFA for a user account exists but is not as stringent as for a user with an Microsoft Entra ID P1 or P2 license targeted by a “conditional access” rule.

This article explains how to enable MFA without the 14-day delay for a user who does not have a Microsoft Entra ID P1 or P2 license.

Enable MFA without 14-day delay without conditional access policy

You can use this function to define StrongAuthenticationRequirement propertie on a fresh new account and force the MFA at the first user’s connection without 14-day delay.

# Connect-MsolService before

function Force-MFA {
    	param (
        [string]$UserPrincipalName    )
 
	$authMethods = @()
	$authMethod = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
	$authMethod.RelyingParty = "*"
	$authMethod.State = "Enabled"
	$authMethods += $authMethod

	Set-MsolUser -UserPrincipalName $UserPrincipalName -StrongAuthenticationRequirements $authMethods

}

Note : To disable the MFA, you can set StrongAuthenticationRequirement to @().


Lionel TRAVERSE
Microsoft 365 Certified Administrator Expert
Microsoft Certified Trainer
lionel.traverse@admin365.fr