- Do you have users enrolled in MFA but using SMS as the 2nd-factor authentication method?
- Do you want to nudge them to do MFA with the MS Authenticator app instead?
Registration Campaign (a current secret method!) can help you in your quest and this blog post helps you to get started with Registration Campaign in Azure AD.
Create Registration Campaign in Azure AD
Query https://graph.microsoft.com/beta/authenticationMethodsPolicy in Graph Explorer and you will see the default configuration of Registration Campaign in your tenant.
If you are new to using Microsoft Graph API, I would suggest giving my below-mentioned blogs posts a read to help you get started quickly. Explore Microsoft Graph with Graph Explorer – Get started with MS Graph API Understanding AUTH for Microsoft Graph API Get started with PowerShell to run MS Graph API queries – Part 1 Get started with PowerShell to run Graph API queries – Part 2
As can be seen from the snap, the current state is default and is targeting to All Users.
Let’s now go ahead change the Registration Campaign policy state from default to enable.
Requires to have permission consented for Policy.ReadWrite.AuthenticationMethod
If successful, the query returns no response other than the HTTP success code. To check and confirm, run the GET query above and see the state is changed to enabled.
Since I am doing this in my lab environment, enabling this feature for all users is not a matter of concern for me.
But if you want to test it out at your end, you may want to enable it for a pilot group of users. This can be done easily while you trigger that PATCH query. Instead of using “all_users” in the “includeTargets” section, you can specify the GUID of a group that contains your pilot users.
{
"registrationEnforcement": {
"authenticationMethodsRegistrationCampaign": {
"snoozeDurationInDays": 1,
"state": "enabled",
"excludeTargets": [],
"includeTargets": [
{
"id": "<Azure AD Group GUID>",
"targetType": "group",
"targetedAuthenticationMethod": "microsoftAuthenticator"
}
]
}
}
}
User Sign-in Experience with Registration Campaign enabled
Let’s check what happens when I try to sign in with a user account that has SMS (Phone – Text) set as the targeted auth method and is now targeted with the Registration Campaign.
Here I am signing to any of the M365 cloud services (doesn’t really matter) using the above-shown account.
I provide the usual account credentials to go through.
As usual, it asks for the SMS code as received on the phone.
But as I entered the code received via SMS and clicked on Verify button in the above snap, I get to see Registration Campaign in action.
This prompt is what Registration Campaign is all about – reminding users to set and use Microsoft Authenticator for MFA rather than the current MFA method (SMS phone-based).
As you can see, users can choose not to set up Microsoft Authenticator on this sign-in. In that case, the current sign-in flow will still complete successfully. Depending on the value set for the “snoozeDurationInDays” property in the Registration Campaign configuration, the user will be again reminded to set up MS Authenticator.
Considering the user clicked on Next to setup MS Authenticator, below is the setup experience that the user will go through.
Portal End:
Device End:
After scanning the QR code, the account will get added. And the process will send a push notification to the Authenticator app on the device to confirm the account setup.
Portal End:
Device End:
The user needs to click on the Approve button to confirm the account setup.
Portal End:
As you click on the Done, the process gets completed.
You can see that the default sign-in method for the account has changed from Phone (SMS text code) to Microsoft Authenticator.
Wrap Up
You can check the MS Graph documentation of authenticationMethodsRegistrationCampaign to know more about it.
That was all for today. Thanks for reading!