An MFA policy breaks the first time an employee has no second factor enrolled. I see that gap often when companies begin CMMC Level 2 work in Microsoft Entra ID.
The MFA registration campaign helps close that gap before enforcement hits users. It prompts people to register approved methods, gives IT a cleaner rollout path, and creates useful records along the way. The key is knowing where the campaign fits, and where it stops.
Where the MFA registration campaign fits in CMMC Level 2
CMMC Level 2 aligns with NIST SP 800-171, and MFA is part of that identity story. Microsoft’s CMMC compliance guidance and its Level 2 identification and authentication guidance make the point clearly: Microsoft Entra ID can support the control set, but no single feature makes an organization compliant on its own.
That matters because CMMC Level 2 expects MFA for all users who access the network, and for privileged users who access systems locally. If users never register a second factor, your policy exists on paper only. In practice, a CMMC MFA registration campaign is a control-supporting mechanism. It helps drive enrollment, lowers the chance of last-minute lockouts, and gives you a record that you pushed users toward approved methods.
A registration campaign improves MFA adoption. It does not replace Conditional Access, Authentication methods policy, or documented enforcement.
I treat the campaign as the bridge between policy design and user action. It helps users get ready. It does not prove that MFA is required at sign-in, and it does not cover privileged local access on endpoints by itself. Assessors will look for the full picture, not only the prompt users saw.
Registration, enforcement, and readiness are different jobs
This is the distinction I explain most often to CMMC teams.
| Component | What it does | Why it matters for CMMC |
|---|---|---|
| Registration campaign | Prompts targeted users during sign-in to set up a selected method, such as Microsoft Authenticator or a passkey | Helps users enroll and gives IT a managed adoption path |
| Authentication methods policy | Controls which methods are allowed and whether self-service setup is available | Limits users to approved methods and supports assurance goals |
| Conditional Access | Requires MFA when users access scoped apps, roles, or conditions | Provides actual enforcement for network access |
| User readiness | Covers communications, training, support, and exception handling | Reduces lockouts and shows the rollout was managed, not improvised |
When I review tenant settings, problems usually come from mixing these jobs. Some teams turn on the campaign and assume MFA is covered. Others force Conditional Access too early and flood the help desk because users never enrolled.
The order should stay clean. First, I decide which methods are allowed. Next, I use the campaign to push registration. Then I enforce MFA with Conditional Access when adoption is high enough to avoid operational damage. I also document emergency access accounts, recovery steps, and any approved exceptions.
There is one more boundary to keep in mind. CMMC Level 2 goes past cloud sign-in. If privileged users still rely on local admin access on devices, I pair Entra changes with endpoint controls, admin-role cleanup, and written procedures. That’s where identity work meets the rest of your security program.
How I set up the campaign in Microsoft Entra ID
For current setup details, I rely on Microsoft’s registration campaign guidance. Microsoft frames the feature as a sign-in prompt that nudges users to register Microsoft Authenticator or passkeys, based on the targeted method and your policy choices.
When I build the rollout, I keep it simple and measurable:
- I confirm the targeted method is allowed in the Authentication methods policy. If I want users on Microsoft Authenticator or passkeys, that method must be ready first.
- I create a pilot group. IT staff and a small set of patient business users usually work well. I exclude emergency access accounts and any accounts with separate handling rules.
- I test the sign-in path on real devices. That includes web access, Windows sign-in flows, mobile users, and remote workers. A policy that looks fine in the admin center can still fail in daily use.
- I write the enforcement plan in Conditional Access before broad rollout. Dates, scope, and exclusions should exist before the first user prompt goes live.
- I send short user instructions. People need a deadline, supported methods, and a clear recovery path for lost or replaced phones.
- I save evidence as I go. Screenshots, policy exports, pilot notes, and change records are much easier to collect during rollout than after the fact.
I don’t launch tenant-wide on day one. A short pilot reveals shared tablets, kiosk patterns, stale accounts, and contractor edge cases before they become audit pain. It also shows whether your support team can handle device changes, phone loss, or app setup issues without delaying the enforcement date.
Roll out in phases so users complete enrollment
A phased rollout beats a one-day switch every time. I usually start with internal IT, then privileged users, then a business unit with predictable workflows, and only then the broader population. That sequence gives me cleaner feedback and less noise.
Communication matters more than many teams expect. I keep the message plain: what users must do, when they must do it, which method they should use, and where they get help. Short instructions work better than policy-heavy email. If the workforce includes field staff, shift workers, or contractors, I add manager notice and support hours that match their schedules.
In small organizations, identity work is rarely isolated. I connect it to Small Business IT planning, Cloud Infrastructure cleanup, Office 365 Migration follow-up, Data Center Technology review, Endpoint Security, Device Hardening, and day-to-day Cloud Management. If the company runs hospitality systems, Restaurant POS Support and Kitchen Technology Solutions matter too, because shared terminals and back-office tablets often sit outside standard onboarding.
That wider view is why I treat this project as part of Cybersecurity Services, Technology Consulting, Infrastructure Optimization, Digital Transformation, IT Strategy for SMBs, Secure Cloud Architecture, Managed IT for Small Business, and Business Continuity & Security. Clients often ask for Innovative IT Solutions and Tailored Technology Services. The lasting value comes from having one Business Technology Partner connect identity policy, device posture, and recovery planning.
What evidence I keep for a CMMC assessment
Assessors want more than a screenshot with a toggle turned on. I keep records that show design, rollout, enforcement, and exception handling over time. I also use current Microsoft Entra ID terms in my evidence, not old Azure AD labels, because naming drift creates confusion during reviews.
The most useful evidence usually includes:
- Dated screenshots or exports of the Authentication methods policy, registration campaign settings, and Conditional Access policies
- Change tickets, approvals, and rollout dates that show when decisions were made
- User communications, support instructions, and training notes tied to the campaign
- Group membership records for included and excluded users, plus justification for emergency access accounts
- Sign-in and registration status reports that show adoption progress and follow-up actions
- Periodic review records that show the controls still match current users, roles, and risk
I also map each artifact to its purpose. The campaign shows that I pushed users to enroll. Authentication methods policy shows which factors I allow. Conditional Access shows that MFA is required at access time. Endpoint records may support the privileged local access side of CMMC Level 2.
Screenshots without dates, policy names, or change context are weak evidence.
Retention matters too. I store identity evidence with policy documents and audit prep materials, not in scattered mailboxes. That gives me a timeline I can explain, rather than a pile of disconnected images.
Final thoughts
The Entra ID MFA registration campaign is useful because it closes the enrollment gap that causes many MFA projects to fail. It gives users a prompt, and it gives IT a managed path to adoption.
Still, CMMC Level 2 is about more than registration. I look for approved methods, real enforcement through Conditional Access, support for user readiness, and records that hold up under assessment.
If users aren’t registered, your MFA rule is only a draft.
Discover more from Guide to Technology
Subscribe to get the latest posts sent to your email.