Unable to setup an Authenticator registration campaign in the Azure portal

Question

I am trying to implement the 'registration campaign' feature in the azure portal. As outlined here: https://learn.microsoft.com/en-us/azure/active-directory/authentication/how-to-mfa-registration-campaign

My goal is to have users be prompted to register the Microsoft Authenticator app for passwordless sign-in. With these requirements:

• On their Initial sign in (where they reset their password)
• Without a manual step (like enabling a user for MFA in the portal), as I am creating users via the Graph API. Graph API calls to configure users are okay, Powershell is less desirable.
• Ideally, the user is able to defer the Authenticator sign-up
• Ideally, the user is not prompted to supply an MFA phone number

I have Security Defaults turned off, I have enabled Microsoft Authenticator and Email OTP authentication methods, I have enabled the registration campaign and currently I believe no forms of MFA turned on (but I had tried a few).

Working through the pre-requisites mentioned in the article I tried several configurations but was never able to get a new user prompted to register the Authenticator app. I will outline my confusion with the prerequisites:

Prerequisite 1

Your organization must have enabled Azure AD Multi-Factor Authentication. Every edition of Azure AD includes Azure AD Multi-Factor Authentication. No additional license is needed for a registration campaign.

• It seems there are multiple ways to enable MFA, and it isn't clear which methods are appropriate.
• I tried adding MFA on all sign-ins with conditional access, and it didn't seem to have an effect. Also, wouldn't doing this defeat the purpose of using the Authenticator app? and it's unclear which MFA option I should be using.
• I don't think that I want MFA enabled through security defaults (again, trying to avoid using phone number) or via Identity Protection (seems to be superseded by conditional access)
• There also appears to be an MFA server, but I am assuming that this is not applicable, so I have ignored it.
• Is there another place to enable MFA?

Prerequisite 2

Users can't have already set up the Authenticator app for push notifications on their account.

• This shouldn't be an issue as this is a new environment and I haven't registered any Authenticator apps yet.

Prerequisite 3a

Admins need to enable users for the Authenticator app using one of these policies:

• MFA Registration Policy: Users will need to be enabled for Notification through mobile app.

• I believe this is referring to the Multifactor authentication registration policy in Identity Protection, but I enabled it and it didn't seem to have an effect.
• Perhaps this is referring to something else?

Prerequisite 3b

• Authentication Methods Policy: Users will need to be enabled for the Authenticator app and the Authentication mode set to Any or Push. If the policy is set to Passwordless, the user won't be eligible for the nudge. For more information about how to set the Authentication mode, see Enable passwordless sign-in with Microsoft Authenticator.

• I have enabled the 'Microsoft Authenticator' Authentication Method Policy with 'Any' mode, but I am unsure if it is in effect.
• According to the azure portal I may require 'combined registration' be turned on: 'If your tenant doesn’t yet use combined security info registration, turn it on now – it’s required to use this policy.' Following the documentation, I am unable to figure out where and how I can see if this feature is enabled or not. This document appears like it should tell me but it does not: https://learn.microsoft.com/en-ca/azure/active-directory/authentication/howto-registration-mfa-sspr-combined
• Perhaps 'combined registration' being the new default means it's always on? and that authentication methods should be working? but then why would it present that message?
• What does it mean by 'Users will need to be enabled...'? The whole point of this feature is to have the user enable the authenticator app when they sign in right?

Perhaps there is a guide somewhere to set this up? I've only found instructions beginning at the point where the prerequisites have been met.

Answer 1

I tried to reproduce the same in my environment and got the results like below:

Note that: To setup registration campaign, the users must have MFA enabled.

For testing, I enabled MFA for only one user like below:

Go to Azure Portal -> Users -> Click on Per-user MFA

Now, I enabled registration campaign in the Azure portal like below:

Go to Azure Portal -> Security -> Authentication methods -> Policies -> Click on Microsoft Authenticator

Click on Registration campaign, edit and save like below:

You can select All users; I added only one user for testing.

After the above configuration, I tried to login with the user like below:

I configured phone authentication for user:

After entering the code, I got the screen to setup Authenticator app successfully like below:

I configured the Authenticator App;

After successfully configuration while signing in, I got the screen to Approve sign in request like below:

To enable MFA for all the users, you can make use of bulk update option like below: