We use AAD B2C for 30k users and a range of apps. I want to progressively rollout to MFA to a subset of users. Conditional Access Policy sounds perfect, except that as part of the build-in sign-in user flow, users are prompted to enroll in MFA and enter email/phone, even if they are not covered by the Conditional Access policy. This defaults the purpose of slowly rolling out MFA.
This pages suggests Enrollment occurs regardless to Conditional Access. https://learn.microsoft.com/en-us/azure/active-directory-b2c/conditional-access-user-flow?pivots=b2c-user-flow
I've found ways to update the user's authentication phone or email via the Graph API... but I'd rather not do this since I'm not certain I have the correct phone number on hand.
Is there a way to delay the enrollment process?
You could do this with a custom policy.
Flag the users you’d like to enrol with an extension attribute. Use graph api to do this. In the custom policy read this attribute after the user verified their credentials. Also read the phone number attribute.
If the attribute is set to true, and the phone number null, then enrol into mfa. Control the mfa orchestration step with a set of preconditions.