I'm looking for some guidance on provisioning laptops for new employees. Traditionally, we would pre-sign them into their Microsoft Office accounts to ensure everything worked smoothly when they received their laptops. However, about a year ago, Microsoft changed things, and now every new user we create is forced into 2FA right from the first sign-in, despite their accounts showing that 2FA is disabled. Because of this, we had to stop the pre-sign-in process. After some recent digging, I discovered that I can disable the forced 2FA by going to Entra ID settings and turning off security defaults. I've never dealt with Entra before when managing our Office accounts through the standard admin portal. I'm concerned about what turning off security defaults might affect. Is there a better way to pre-sign into Office when setting up laptops for new starters?
5 Answers
One effective approach is to allow MFA bypass when users are signing in from your office. You can complete most setups beforehand, and they only need to deal with MFA on external logins.
If you can use TAP, that’s a solid solution. Also, you might want to look into conditional access policies. They can help manage MFA without disabling security defaults.
It’s really essential to manage things with TAP along with a registration campaign for new users. You can target a specific dynamic group to streamline the process.
Have you considered using a Temporary Access Pass (TAP)? It allows you to set up laptops without needing to sign in with the user's credentials. It might save you from the hassle of the 2FA issue altogether.
Definitely avoid turning off MFA entirely. The TAP method is the right way to go if you need to bypass it temporarily. Just make sure they've registered a token after their first sign-in.

Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures