How to run a MFA registration campaign in Azure

You can nudge users to set up Microsoft Authenticator during sign-in. Users will go through their regular sign-in, perform multifactor authentication as usual, and then be prompted to set up Microsoft Authenticator. In addition to choosing who can be nudged, you can define how many days a user can postpone, or "snooze", the nudge.

Prerequisites

Azure AD MFA is enabled
Users have already set up MFA (Otherwise users will be forced after the grace period to configure it. This might happen in an unfavorable moment, so we want to avoid this)
Users can't have already set up the Authenticator app for push notifications on their account

After successful authentication against a Microsoft Cloud Service, users will be prompted to configure Microsoft Authenticator for MFA.

Configuration

To start the campaign go to aad.portal.azure.com

Click on Azure Active Directory - Security - Authentication Methods

Make sure that Microsoft Authenticator is enabled, ie for All users. To do so:

Click on Microsoft Authenticator - Enable: Yes - Target: All Users
Authentication mode needs to be set to Any or Push
Selecting only Passwordless will not work
Click Save

Next, to start the campaign, click on Registration campaign - Edit

State: Enabled
Days allowed to snooze: 1 day (0 days will remind users on every login)
Click Save.

Now that the campaign is running, login with a user that has not yet configured MFA. Users will be nudged to configure MFA.

Click Next

After scanning the code, the user will be guided in the app

To check which users have already configured MFA, go to Azure Active Directory - Security - Authentication Methods - User registration details

It is highly recommended to properly plan ahead to enforce MFA. Keep in mind possible absence of users so they are not enforced to configure MFA in possible unfavorable situations.