Get started with Registration Campaigns in Azure AD

Get started with Registration Campaigns in Azure AD
  • Do you have users enrolled in MFA but using SMS as the 2nd-factor authentication method?
  • Do you want to nudge them to do MFA with the MS Authenticator app instead?

Registration Campaign (a current secret method!) can help you in your quest and this blog post helps you to get started with Registration Campaign in Azure AD.

Create Registration Campaign in Azure AD

Query https://graph.microsoft.com/beta/authenticationMethodsPolicy in Graph Explorer and you will see the default configuration of Registration Campaign in your tenant.

If you are new to using Microsoft Graph API, I would suggest giving my below-mentioned blogs posts a read to help you get started quickly.
Explore Microsoft Graph with Graph Explorer – Get started with MS Graph API
Understanding AUTH for Microsoft Graph API
Get started with PowerShell to run MS Graph API queries – Part 1
Get started with PowerShell to run Graph API queries – Part 2
his is the default configuration of Registration Campaign in your Azure AD tenant
This is the default configuration of Registration Campaign in your Azure AD tenant

As can be seen from the snap, the current state is default and is targeting to All Users.

Let’s now go ahead change the Registration Campaign policy state from default to enable.

Requires to have permission consented for Policy.ReadWrite.AuthenticationMethod

Use Graph API PATCH query to change the Registration Campaign policy state from default to enabled.
Use Graph API PATCH query to change the Registration Campaign policy state from default to enabled.

If successful, the query returns no response other than the HTTP success code. To check and confirm, run the GET query above and see the state is changed to enabled.

Confirm the change in policy state of the Registration Campaign.
Confirm the change in policy state of the Registration Campaign.

Since I am doing this in my lab environment, enabling this feature for all users is not a matter of concern for me.

But if you want to test it out at your end, you may want to enable it for a pilot group of users. This can be done easily while you trigger that PATCH query. Instead of using “all_users” in the “includeTargets” section, you can specify the GUID of a group that contains your pilot users.

{
    "registrationEnforcement": {
        "authenticationMethodsRegistrationCampaign": {
            "snoozeDurationInDays": 1,
            "state": "enabled",
            "excludeTargets": [],
            "includeTargets": [
                {
                    "id": "<Azure AD Group GUID>",
                    "targetType": "group",
                    "targetedAuthenticationMethod": "microsoftAuthenticator"
                }
            ]
        }
    }
}

User Sign-in Experience with Registration Campaign enabled

Let’s check what happens when I try to sign in with a user account that has SMS (Phone – Text) set as the targeted auth method and is now targeted with the Registration Campaign.

User Sign-in Experience with Registration Campaign enabled for an account that is enrolled to MFA and is using SMS as 2nd factor.
User Sign-in Experience with Registration Campaign enabled for an account that is enrolled to MFA and is using SMS as 2nd factor.

Here I am signing to any of the M365 cloud services (doesn’t really matter) using the above-shown account.

Provide User UPN to sign-in
Provide User UPN to sign-in

I provide the usual account credentials to go through.

Provide User crednetials
Provide User crednetials.

As usual, it asks for the SMS code as received on the phone.

Provide code received via SMS as 2nd factor.
Provide code received via SMS as 2nd factor.

But as I entered the code received via SMS and clicked on Verify button in the above snap, I get to see Registration Campaign in action.

Registration Campaign in action - nudge users to set and use Microsoft Authenticator for MFA.
Registration Campaign in action – nudge users to set and use Microsoft Authenticator for MFA.

This prompt is what Registration Campaign is all about – reminding users to set and use Microsoft Authenticator for MFA rather than the current MFA method (SMS phone-based).

As you can see, users can choose not to set up Microsoft Authenticator on this sign-in. In that case, the current sign-in flow will still complete successfully. Depending on the value set for the “snoozeDurationInDays” property in the Registration Campaign configuration, the user will be again reminded to set up MS Authenticator.

Considering the user clicked on Next to setup MS Authenticator, below is the setup experience that the user will go through.

Portal End:

Setup MS Authenticator as default sign-in method
Setup MS Authenticator as default sign-in method
Setup MS Authenticator as default sign-in method
Setup MS Authenticator as default sign-in method
Setup MS Authenticator as default sign-in method
Setup MS Authenticator as default sign-in method

Device End:

Setup MS Authenticator as default sign-in method
Setup MS Authenticator as default sign-in method

After scanning the QR code, the account will get added. And the process will send a push notification to the Authenticator app on the device to confirm the account setup.

Portal End:

Setup MS Authenticator as default sign-in method
Setup MS Authenticator as default sign-in method

Device End:

Setup MS Authenticator as default sign-in method
Setup MS Authenticator as default sign-in method

The user needs to click on the Approve button to confirm the account setup.

Portal End:

Setup MS Authenticator as default sign-in method
Setup MS Authenticator as default sign-in method
Setup MS Authenticator as default sign-in method
Setup MS Authenticator as default sign-in method

As you click on the Done, the process gets completed.

You can see that the default sign-in method for the account has changed from Phone (SMS text code) to Microsoft Authenticator.

Wrap Up

You can check the MS Graph documentation of authenticationMethodsRegistrationCampaign to know more about it.
That was all for today. Thanks for reading!