The inability to have conditional access policies enforced against the user principle names (or device ID's) is a job stopper for us for several reasons:
- We use a third party MFA tool (DUO) because it offers much better access control. It actually tells the user who is trying to log in and where the request is coming from. This requires us to disable MFA on the user accounts to which DUO is assigned and then the MFA is handled by a CA policy in Azure AD. Disabling this CA possible for those users is completely impossible.
- We have several common sense CA policies for things like preventing login from users identified as high risk, or login from obviously foreign locations. I don't think that I could sign all of the security policies with our customers unless I had these active policies in place.
If I create a new user group (with UPN's) to identify my beta testers for Autopatch, can I still retain my CA policies? If I cannot maintain CA policies then the Autopatch is going to be a no go for me and I think for most security conscious companies.
Microsoft