How To

Entra ID Multi-Factor Authentication (MFA) Powered by Hire2Retire

Features

As part of the Phase 8.4 release, Hire2Retire now enables you to use Entra ID, Multi Factor Authentication.

Many companies using Entra ID for securing their access to cloud services face a common challenge. They invest in Microsoft Entra ID P1 licenses to help manage identity and access but do not consider the restrictions that come with the low cost of P1 license as compared to P2.

P1 license only rigid options in terms of MFA, where it is either enforced for everyone or admins have to manually enable permissions for individual users. And when it comes to upgrading to P2 license it becomes cost intensive costing up to $10,000 month on average. Therefore, to solve this problem for our customers, Hire2Retire has added a new feature in its bucket of advanced solutions.

In its 8.4 release, Hire2Retire has introduced a new and significant security enhancement. Our product now can configure Multi-Factor Authentication (MFA) policies for Microsoft Entra ID directly within its workflow engine.

It will allow our customers who are using Entra ID (Hybrid Active Directory) to define, manage and automate their MFA policies as a part of their employee lifecycle workflows. Furthermore, MFA enforcement in Entra ID that required a manual setup or expensive premium plans previously, will now come as a built-in support with Hire2Retire. Now administrators can define MFA behavior based on HR data such as department, role or employment type and create attribute-based MFA policy configuration.

What is the Business Value of this Feature?

This feature adds additional value to Hire2Retire as Microsoft does not allow conditional enabling of 2FA for lower value Entra ID plans. Microsoft currently allows following methods for enforcing MFA policies

1. Security Defaults – Enabling security defaults in Azure AD makes Microsoft MFA compulsory for ALL the users and enforces certain other security practices and organizations might want to implement it partially. It makes MFA required for administrators anytime they are logging in. It also disables a few protocols like SMTP, IMAP and POP. This does not allow modular implementation. (Available with basic plan)

2. Per User MFA – Using per user MFA, an account with at least ‘Authentication Administration’ privilege can manually enable/disable/enforce MFA for a specific user. (Available with basic plan)

3. Conditional Access – The administrator can configure rules and conditions to control the MFA enforcement. (Only available with advanced plans)

With the new update you can use Per User MFA API to provide functionality in Hire2Retire to enable MFA through Hire2Retire. You can also configure MFA through user-based attributes which works like the Conditional Access feature provided by Microsoft in higher plans.

How to enable it on Hire2Retire?

1. Enable Hire2Retire to set MFA state for Entra ID users in IdP configurations where workflow has a connection with Entra ID; Entra ID and Hybrid AD when Entra AD security groups are enabled.

2. Add a section to the top of Lifecycle Business Rules page, with the heading “Multi Factor Authentication”. In future, we will expand the scope of this section to enforce other policies. This will separate out MFA from any lifecycle and put it as a user policy.

3. The section will have a dropdown with a lookup table to configure the MFA state as per the applied conditions based on HR attributes. The dropdown will have the following options –

Enforced: MFA is enforced and the user cannot login to Microsoft without setting it up.
Enabled: MFA is enabled and user will be asked to set it up. It can be skipped for some time as set by Azure administrator policies.
Disabled: MFA is disabled.
Do not Change: Hire2Retire will not change MFA state.

4. The default option for new flows should be ‘Enable MFA’. For existing flows, the selected option should be Do Not Change.

5. If the connection doesn’t have auth admin privilege, then the dropdown will be disabled with help text stating “This connection does not have “Authentication Administrator” privilege to configure MFA”.

6. The MFA policy for a user will show up as a separate tab on Observe Page Employee Data modal window.

This feature delivers greater flexibility and security to organizations using Microsoft Entra ID, especially those with basic plans that lack conditional access features. Now Hire2Retire can be your secure and scalable identity lifecycle management solution, particularly in hybrid or budget-conscious environments.

What are you waiting for?

Hire2Retire’s new feature offers enterprise-grade customization to your HR-IT workflows. Ready to transform your lifecycle management processes? Book a call with our Integration Specialist today and start your journey today towards streamlined business processes.

Want to learn more?

To dive deeper into the features that have been added in the Hire2Retire Phase 8.4 release, read the RoboMQ blog post on Phase 8.4 here.

Need to dive even deeper into the Phase 8.4 changes? See every change made in the Hire2Retire Phase 8.4 release notes.

Abhishek Surtanya

Abhishek Surtanya is a Marketing Manager with RoboMQ. He is a B2B and SaaS content strategist specializing in content writing that drives engagement, lead generation, and SEO growth. With 6+ years of experience, he has crafted high-impact content for top brands. He specializes in data-driven, conversion-focused content that establishes thought leadership and enhances brand visibility.

Entra ID Multi-Factor Authentication (MFA) Powered by Hire2Retire

What is the Business Value of this Feature?

How to enable it on Hire2Retire?

What are you waiting for?

Abhishek Surtanya

Abhishek Surtanya

+1 (800) 880-3714

sales@robomq.io

ATS

Copyright © 2014-2025 RoboMQ. All Rights Reserved.