How to Setup Registration Campaigns for MFA in Microsoft Entra

A Registration Campaign in Microsoft Entra is a great way to encourage users to adopt a stronger multi-factor authentication method, aiding towards a better overall security posture of your organisation and putting you well on your way to passwordless authentication.

In this tutorial, I am going to show you how to set up a Registration Campaign for the Microsoft Authenticator app in the Microsoft Entra Admin Center using Microsoft Graph PowerShell.

The purpose of Registration Campaigns

To goal of using a Registration Campaign is to prompt users to enrol the Microsoft Authenticator app as their primary authentication method for Multi-Factor Authentication. The Authenticator App is deemed one of the most secure methods of MFA while being arguably the simplest and least impactful method for the end user.

Once the Registration Campaign is complete and all your target users have enrolled in the more secure Authenticator app method, less secure methods such as Voice and SMS can then be disabled via policy for user sign-in.

How Registrations campaigns work

Registration Campaigns work by prompting (or nudging) the user to register the Microsoft Authenticator app on a schedule or every time they sign in, depending on the settings you configure. 

The users targeted by the campaign must already be registered for multi-factor authentication using a less secure method such as voice or SMS. When that user logs into their account at an interactive login prompt (such as at office.com), they will first be asked to complete their existing MFA challenge, then they will be prompted to ‘Improve your sign-ins, Better guard your account with the Microsoft Authenticator app. Prove who you are easily through push notifications.’. The user can then choose to complete this now, or click Not now and register another day.

If the user decides to register for Microsoft Authenticator right away, they will be redirected to the mysignins.microsoft.com page to complete the setup of the Authenticator app. Otherwise, they can choose to skip registration up to a maximum of 3 times before being forced to register.

F.A.Q

What logins does this impact?

Registration Campaigns will only prompt users to register for Multi-Factor authentication when logging in through a web browser. Interactive browser windows during client application sign-in (such as Outlook), will not be impacted.

How many times can a user skip the registration prompt?

The registration prompt can be skipped a maximum of 3 times, and then after, the user will be forced to register for the Microsoft Authenticator app.

What if I already use a third-party authenticator app?

If you are not registered with the Microsoft Authenticator app, you will be prompted to register, regardless if you are already using a 3rd party app.

Can I still target user security info registration with Conditional Access?

Yes, but bear in mind, if a user is forced to register for the Authenticator App after skipping the prompt 3 times and they are not within a secure area where they are allowed to register security info, they will not see the prompt. While this may be helpful, it could also be seen as a security bypass.

What if a user closes their browser instead of clicking ‘Not now’?

This is seen as the same as skipping the prompt and will count towards the skip limit.

How to setup Registration Campaigns in Microsoft Entra

Follow the below steps to setup a registration campaign in the Microsoft Entra admin center:

1. Login to Microsoft Entra

2. Under Protection, select Authentication meth0ds > Registration Campaign

Registration Campaign
Registration Campaign

3. Click Edit and configured your desired settings. I recommend you Enable the registration campaign with the Days allows to snooze setting at 0, then target all users, while excluding any necessary users.

Registration Campaign Settings
Registration Campaign Settings

4. When you are done, click Save.

Click Save
Click Save

How to setup Registration Campaigns with Microsoft Graph PowerShell

To configure the Registration Campaign with Microsoft Graph PowerShell you should use the update-MgBetaPolicyAuthenticationMethodPolicy cmdlet. For this, you will need to grant tenant-wide access to the Policy.ReadWrite.AuthenticationMethod permission, do this with the following command:

Connect-MgGraph -Scopes Policy.ReadWrite.AuthenticationMethod

Once your session is authorised, use the following script to enable the Registration Campaign:

$params = @{
	registrationEnforcement = @{
		authenticationMethodsRegistrationCampaign = @{
			snoozeDurationInDays = 1
			state = "enabled"
			excludeTargets = @(
			)
			includeTargets = @(
				@{
					id = "all_users"
					targetType = "group"
					targetedAuthenticationMethod = "microsoftAuthenticator"
				}
			)
		}
	}
	reportSuspiciousActivitySettings = @{
		state = "enabled"
		includeTarget = @{
			targetType = "group"
			id = "all_users"
		}
		voiceReportingCode = 0
	}
}

update-MgBetaPolicyAuthenticationMethodPolicy -BodyParameter $params

Once you have run the script without error, use the Get-MgBetaPolicyAuthenticationMethodPolicy cmdlet to verify the new setting is enabled:

(Get-MgBetaPolicyAuthenticationMethodPolicy).RegistrationEnforcement.AuthenticationMethodsRegistrationCampaign.state

The end-user experience

Once the Registration Campaign is enabled, users who do not have the Microsoft Authenticator app registers with number matching, will automatically be prompted to enrol. 

For example, a user will navigate to office.com (or a similar Microsoft 365 service) and proceed to log in. After the initial sign-in, they will be asked to complete their existing multi-factor authentication challenge.

initial sign-in
initial sign-in

Once complete, another prompt will appear with the following text:

Improve your sign-ins
Better guard your account with the Microsoft Authenticator app. Prove who you are easily through push notifications.
Improve your sign-in
Improve your sign-in

The user will then be taken to the usual security registration page to register for the Microsoft Authenticator app.

Daniel Bradley

My name is Daniel Bradley and I work with Microsoft 365 and Azure as an Engineer and Consultant. I enjoy writing technical content for you and engaging with the community. All opinions are my own.

This Post Has 2 Comments

  1. Vinod

    Hi Daniel,

    This is great way to push the end users to enable MFA at once. Thanks for sharing this.

Leave a Reply