Understanding Registration Campaign Policy in Microsoft Entra ID

5 min read


Welcome to this tutorial.

Today, we will discuss the Registration Campaign, an initiative that encourages users to adopt a more robust authentication method, specifically the Microsoft Authenticator app.

This applies even to those who currently use regular SMS or phone authentication.

The objective of this campaign is to compel users to reauthenticate using the Authenticator app.

This requires users to download and authenticate exclusively through the app.

However, the deployment details of this Authenticator app remain undisclosed, and it is not implemented through the Azure MFA policy or any third-party involvement.

Let’s navigate through this process.

We’ll start at the Microsoft Entra ID Center, formerly known as the Azure AD Center.

Scroll down to ‘Protection’, then proceed to ‘Authentication Methods’.

On the left, you’ll find the ‘Registration Campaign’ tab.

Click on it.

The intention here is to establish a more secure method.

You have the flexibility to exclude users in specific scenarios or if you don’t plan to introduce them to Microsoft Authenticator at this point.

In this section, you’ll notice options for ‘Days to Alert’, ‘Snooze Options’, and the limited number of attempts once the policies are enforced, which is three.

The designated method is Microsoft Authenticator, the sole option at the top.

Assume your users currently rely on SMS authentication.

This campaign will prompt them to adopt the mobile authenticator, necessitating a download.

There may be various reasons why you might hesitate to implement this at present.

However, keep in mind that this will likely be the exclusive method of account authentication early next year, with Microsoft discontinuing other methods such as SMS.

It serves as an effective way to train users.

For external users, you can selectively include or exclude users to test the mobile authenticator’s functionality.

If you wish to modify the settings based on your requirements, click on ‘Edit’.

There are three states: ‘Enabled’, ‘Disabled’, and ‘Microsoft Managed’.

If Microsoft manages the features, enabling or disabling them depends on their decision.

Though you can choose to disable it if you prefer it not to be implemented in your tenant.

However, considering Microsoft Authenticator will be the sole means of authentication in a move towards passwordless for enhanced security, it’s advisable to test with a subset of users.

To do this, click on ‘All Users’, and you’ll find the option to select specific groups.

You can either create a user or a few users for testing purposes.

Alternatively, exclude some users while including others by navigating to ‘Excluded Users and Groups’, adding specific users or searching for groups in your tenant.

This tool is valuable but can cause panic if you’re unaware of it and searching in conventional locations for the authenticator implementation yields no results.

To delve deeper, you can refer to the article on the registration campaign, which should appear in your search.

The prerequisites for this process are a Microsoft authentication tenant and an Authenticator app with a minimum version, typically already in use by most users.

For users already having Authenticator, testing is not possible since they are already on SMS or another method.

Administrators will enable Azure MFA, and the user experience is crucial.

The initial query is whether the user successfully authenticated using Microsoft Enterprise Multifactor Authentication.

For instance, a user accustomed to SMS authentication logging in will now be prompted due to the enabled authentication registration campaign.

They can choose to skip for now during the snooze time, which is three as indicated.

This process essentially compels users to download the mobile authenticator app.

Follow the steps to get them enrolled, and that concludes the process.

I hope this explanation was helpful.

Thank you.

360 Visibility