A Registration Campaign in Microsoft Entra is a great way to encourage users to adopt a stronger multi-factor authentication method, aiding towards a better overall security posture of your organisation and putting you well on your way to passwordless authentication.
In this tutorial, I am going to show you how to set up a Registration Campaign for the Microsoft Authenticator app in the Microsoft Entra Admin Center using Microsoft Graph PowerShell.
The purpose of Registration Campaigns
To goal of using a Registration Campaign is to prompt users to enrol the Microsoft Authenticator app as their primary authentication method for Multi-Factor Authentication. The Authenticator App is deemed one of the most secure methods of MFA while being arguably the simplest and least impactful method for the end user.
Once the Registration Campaign is complete and all your target users have enrolled in the more secure Authenticator app method, less secure methods such as Voice and SMS can then be disabled via policy for user sign-in.
How Registrations campaigns work
Registration Campaigns work by prompting (or nudging) the user to register the Microsoft Authenticator app on a schedule or every time they sign in, depending on the settings you configure.
The users targeted by the campaign must already be registered for multi-factor authentication using a less secure method such as voice or SMS. When that user logs into their account at an interactive login prompt (such as at office.com), they will first be asked to complete their existing MFA challenge, then they will be prompted to ‘Improve your sign-ins, Better guard your account with the Microsoft Authenticator app. Prove who you are easily through push notifications.’. The user can then choose to complete this now, or click Not now and register another day.
If the user decides to register for Microsoft Authenticator right away, they will be redirected to the mysignins.microsoft.com page to complete the setup of the Authenticator app. Otherwise, they can choose to skip registration up to a maximum of 3 times before being forced to register.
F.A.Q
What logins does this impact?
Registration Campaigns will only prompt users to register for Multi-Factor authentication when logging in through a web browser. Interactive browser windows during client application sign-in (such as Outlook), will not be impacted.
How many times can a user skip the registration prompt?
The registration prompt can be skipped a maximum of 3 times, and then after, the user will be forced to register for the Microsoft Authenticator app.
What if I already use a third-party authenticator app?
If you are not registered with the Microsoft Authenticator app, you will be prompted to register, regardless if you are already using a 3rd party app.
Can I still target user security info registration with Conditional Access?
Yes, but bear in mind, if a user is forced to register for the Authenticator App after skipping the prompt 3 times and they are not within a secure area where they are allowed to register security info, they will not see the prompt. While this may be helpful, it could also be seen as a security bypass.
What if a user closes their browser instead of clicking ‘Not now’?
This is seen as the same as skipping the prompt and will count towards the skip limit.
How to setup Registration Campaigns in Microsoft Entra
Follow the below steps to setup a registration campaign in the Microsoft Entra admin center:
1. Login to Microsoft Entra
2. Under Protection, select Authentication meth0ds > Registration Campaign
3. Click Edit and configured your desired settings. I recommend you Enable the registration campaign with the Days allows to snooze setting at 0, then target all users, while excluding any necessary users.
4. When you are done, click Save.
How to setup Registration Campaigns with Microsoft Graph PowerShell
To configure the Registration Campaign with Microsoft Graph PowerShell you should use the update-MgBetaPolicyAuthenticationMethodPolicy cmdlet. For this, you will need to grant tenant-wide access to the Policy.ReadWrite.AuthenticationMethod permission, do this with the following command:
Connect-MgGraph -Scopes Policy.ReadWrite.AuthenticationMethod
Once your session is authorised, use the following script to enable the Registration Campaign:
$params = @{
registrationEnforcement = @{
authenticationMethodsRegistrationCampaign = @{
snoozeDurationInDays = 1
state = "enabled"
excludeTargets = @(
)
includeTargets = @(
@{
id = "all_users"
targetType = "group"
targetedAuthenticationMethod = "microsoftAuthenticator"
}
)
}
}
reportSuspiciousActivitySettings = @{
state = "enabled"
includeTarget = @{
targetType = "group"
id = "all_users"
}
voiceReportingCode = 0
}
}
update-MgBetaPolicyAuthenticationMethodPolicy -BodyParameter $params
Once you have run the script without error, use the Get-MgBetaPolicyAuthenticationMethodPolicy cmdlet to verify the new setting is enabled:
(Get-MgBetaPolicyAuthenticationMethodPolicy).RegistrationEnforcement.AuthenticationMethodsRegistrationCampaign.state
The end-user experience
Once the Registration Campaign is enabled, users who do not have the Microsoft Authenticator app registers with number matching, will automatically be prompted to enrol.
For example, a user will navigate to office.com (or a similar Microsoft 365 service) and proceed to log in. After the initial sign-in, they will be asked to complete their existing multi-factor authentication challenge.
Once complete, another prompt will appear with the following text:
The user will then be taken to the usual security registration page to register for the Microsoft Authenticator app.
Hi Daniel,
This is great way to push the end users to enable MFA at once. Thanks for sharing this.
Welcome Vinod, thanks for reading! 🙂