If you have users that aren't enrolled for MFA, you can determine what happens when they try to authenticate. To control this behavior, use the setting REQUIRE_USER_MATCH in the registry path HKLM\Software\Microsoft\AzureMFA. This setting has a single configuration option:
Key | Value | Default |
---|---|---|
REQUIRE_USER_MATCH | TRUE/FALSE | Not set (equivalent to TRUE) |
This setting determines what to do when a user isn't enrolled for MFA. When the key doesn't exist, is not set, or is set to TRUE, and the user isn't enrolled, the extension fails the MFA challenge.
When the key is set to FALSE and the user isn't enrolled, authentication proceeds without performing MFA. If a user is enrolled in MFA, they must authenticate with MFA even if REQUIRE_USER_MATCH is set to FALSE.
You can choose to create this key and set it to FALSE while your users are onboarding, and may not all be enrolled for Azure AD Multi-Factor Authentication yet. However, since setting the key permits users that aren't enrolled for MFA to sign in, you should remove this key before going to production.