I'm looking for advice on how to manage the MFA setup for new employees who join with their own devices but haven't created their Microsoft 365 MFA keys yet. They need to be able to register their MFA before their first day, but this presents a challenge as they won't have their Authenticator app or any hardware keys ready to go. I'm seeking secure and efficient solutions for facilitating their first login with minimal friction, while also maintaining MFA as a mandatory requirement long-term. Here are a few ideas I'm considering:
- Using Temporary Access Pass (TAP) in Entra ID?
- Offering a supervised setup session during their induction?
- Implementing a more automated workflow?
I'd appreciate hearing how others are handling this, especially if you've got a streamlined approach in place that works remotely.
6 Answers
We’ve set things up so that when they first log in, they’re prompted to set up the Authenticator app before they can access anything. It's a straightforward approach that seems to work.
Another method we've used is provisioning a FIDO2 key for the user via the Graph API and handing it over to them on their first day. This allows for secure MFA setup right from the start without much hassle.
We created a straightforward manual guide for downloading and setting up the Authenticator app. Most new hires can follow it without problems, but if they struggle, they're encouraged to ask their manager for assistance.
In some cases, we invite new hires to the office to set up their devices. Here, they don't need MFA to set up new devices due to trusted location exemptions, allowing them to register their MFA on our network easily.
Our process involves the manager getting the onboarding details, and the new user is required to change their password and set up MFA on their first login. This has worked well for us.
Using TAP for onboarding has been really effective and secure in our organization. We generate the TAP right when the new hire needs it, which ensures only they can access their account without any prior setup. This process can be done remotely and doesn’t require specialized knowledge, making it user-friendly.
Absolutely, generating the TAP on the fly reduces the risk and keeps things simple. We found that initial MFA registration on our internal network can occur without a TAP, but everything else requires one.