I'm managing devices for several small businesses on Microsoft 365 Business Standard, and we have security defaults enabled. When setting up new PCs, I typically log in as the user to adjust settings and download the Office 365 apps. However, the old 14-day grace period for multi-factor authentication (MFA) was removed, so I now need to set up MFA on my phone before I can even log into office.com for the app download. This means I have to reset MFA later so the user can set it up when they start. How do you all handle this situation? Do you simply wait to install the Office apps until the user is present? There must be a more efficient way to do this without turning off security defaults.
4 Answers
It sounds like you've got a pretty solid process! Using TAPs as an MFA method is great. Just make sure to enable them in the Entra console; it really simplifies things for new installs.
Using a Temporary Access Pass (TAP) might be the way to go! You can create a local admin account to set everything up first, then use the TAP to sign in to the user's account online without MFA. This way, they will still need to set up their MFA when they log in for real. It's a neat trick!
I started using TAPs recently and I'm really liking them!
Have you considered using Intune for deployment? When the user logs in for the first time, all the necessary apps could automatically show up, making the process much more streamlined.
We're trying to get to that point as well, but for now, we still set up first before handing them off.
You definitely don’t need to log in as the user just to download the Office apps. You could try running OfficeInstall.exe directly without logging in first, but make sure to check if it needs user credentials!
For sure! We're working on improving the provisioning process so users get a smoother experience.