0 votes

I don't know if this is achievable but.... we want to see if we can automatically enrol users for Azure SSPR/MFA as soon as a mobile/cell number is added to their AD account. I can trigger workflow OK but the question is how to push out a change into AAD that adds the user to the SSPR/MFA policy?

Seems that MS have deliberately disabled this being based on AD group memberships and now is based on AAD policies - with the intention that this is managed directly through AAD.

So wondering if it's possible to do this from the AD side somehow?

Many thanks

by (310 points)

1 Answer

0 votes
by (289k points)
selected by
Best answer

Hello Bernie,

Currently, Microsoft recommends using conditional access to enforce MFA on a per-group basis. The following article should be helpful: https://docs.microsoft.com/en-us/azure/ ... ess-policy.

Related questions

0 votes
1 answer

We used to use a script to check if an AD user's MFA was set in Azure (Hybrid AD/AAD set up). I do not think it is relevant any longer. Is there another script that handles this or some other functionality in order to check a user's Azure MFA status?

asked Aug 23 by msheppard (470 points)
0 votes
1 answer

Hello there, We have recently moved (almost) every computer from on-prem to cloud only and have setup some scheduled tasks to disable users based off of Last Logon and Last Logon ... in a different way? And if not, are there any plans to leverage that data?

asked May 21 by jacobchugg (20 points)
+1 vote
1 answer

Aiming to go passwordless, this is a must-have

asked Aug 30, 2023 by JM (30 points)
0 votes
1 answer

Our organisation is planning to use Adexes for user creation and modification including helpdesk password resets. However, we also have an AAD with federated authentication back to ... Adexes and am wondering if this could cause any issues? Many thanks, Bernie

asked Aug 11, 2019 by Bernie (310 points)
0 votes
1 answer

Hi after the user acount is created in Active Directory I need the business rule to pause for 30mins for the azure sync to take place before the rule can continue to add the 365 license.

asked May 24 by johanpr (120 points)
3,549 questions
3,240 answers
8,232 comments
547,817 users