Unit 3: Plan Your Multifactor Authentication Deployment

Deploying MFA requires careful planning to minimize disruption and ensure adoption.

Rollout Strategy

• Deploy MFA in waves starting with a small pilot group.
• Identify unsupported applications or special scenarios before expanding.
• Gradually include the rest of the organization after testing.

Communication Plan

A clear communication plan helps ensure users are prepared.

• Inform users about the MFA requirement and upcoming deadlines.
• Explain registration steps and expected changes.
• Share support contacts and troubleshooting guidance.
• Use Microsoft templates for posters, emails or notices if needed.

Enforcing MFA with Conditional Access

Conditional Access policies enforce MFA using an IF–THEN logic.

Examples include:

• If a user accesses a sensitive cloud application, then require MFA.
• If a user signs in from an untrusted network, then require MFA.
• If a user registers a new device, then require MFA.

Choosing Authentication Methods

Organizations should enable multiple authentication methods to give users backup options.

Common methods include:

• Mobile app verification codes.
• Mobile app push notifications.
• Phone call approvals.
• FIDO2 security keys.
• Windows Hello for Business.
• OATH software or hardware tokens.

User Registration

Administrators must decide how users will register for MFA.

Options include:

• Using Microsoft Entra ID Protection to prompt users automatically.
• Prompting users when accessing an app requiring MFA.
• Enforcing registration through Conditional Access and user groups.