Adaxes

Control Azure User SSPR/MFA from AD?

0 votes

I don't know if this is achievable but.... we want to see if we can automatically enrol users for Azure SSPR/MFA as soon as a mobile/cell number is added to their AD account. I can trigger workflow OK but the question is how to push out a change into AAD that adds the user to the SSPR/MFA policy?

Seems that MS have deliberately disabled this being based on AD group memberships and now is based on AAD policies - with the intention that this is managed directly through AAD.

So wondering if it's possible to do this from the AD side somehow?

Many thanks

by (310 points)

1 Answer

0 votes
by (289k points)
selected by
Best answer

Hello Bernie,

Currently, Microsoft recommends using conditional access to enforce MFA on a per-group basis. The following article should be helpful: https://docs.microsoft.com/en-us/azure/ ... ess-policy.

Related questions

0 votes
1 answer
What is the most current way of checking if a user has MFA enabled in Azure?

We used to use a script to check if an AD user's MFA was set in Azure (Hybrid AD/AAD set up). I do not think it is relevant any longer. Is there another script that handles this or some other functionality in order to check a user's Azure MFA status?

asked Aug 23 by msheppard (470 points)
0 votes
1 answer
Leveraging last interactive sign in data from Azure AD inside the Adaxes Management Console

Hello there, We have recently moved (almost) every computer from on-prem to cloud only and have setup some scheduled tasks to disable users based off of Last Logon and Last Logon ... in a different way? And if not, are there any plans to leverage that data?

asked May 21 by jacobchugg (20 points)
+1 vote
1 answer
Is generating and distributing a Temporary Access Pass (TAP) from Azure AD instead of a password supported?

Aiming to go passwordless, this is a must-have

asked Aug 30, 2023 by JM (30 points)
0 votes
1 answer
Azure SSPR - any issues?

Our organisation is planning to use Adexes for user creation and modification including helpdesk password resets. However, we also have an AAD with federated authentication back to ... Adexes and am wondering if this could cause any issues? Many thanks, Bernie

asked Aug 11, 2019 by Bernie (310 points)
0 votes
1 answer
User created on, on prem AD wait for azure to sync

Hi after the user acount is created in Active Directory I need the business rule to pause for 30mins for the azure sync to take place before the rule can continue to add the 365 license.

asked May 24 by johanpr (120 points)
3,549 questions
3,240 answers
8,232 comments
547,814 users