Forum Discussion
MFA User Group
Hello everyone,
I'm new to this group. My first exposure to MS365 Administration happened in October 2023 when a former MSP was paid to move my company's Exchange on-prem to the cloud. I'm putting a document together on how to setup MFA and generate app specific passwords to permit MS365 authentication between my ERP system and MS365 Outlook.
During the conversion process the MSP created two security groups. MFA Users and MFA Exclusions. My question is, was this necessary as part of the conversion for say, place holders for accounts, or is this something I should be maintaining?
Thank you in advance for any input.
3 Replies
The "MFA Users" and "MFA Exclusions" groups were likely created by the MSP to easily manage Multi-Factor Authentication settings using Conditional Access or security defaults.
Microsoft does not require them but are a common best practice for:
- Applying MFA policies to specific users (MFA Users)
- Excluding service accounts or legacy systems from MFA (MFA Exclusions)
You can keep and use these groups if they fit your setup. Otherwise, feel free to rename or restructure based on your current needs.
Depends on what they configured. Assuming they enforced MFA via Conditional access policy, those two groups are likely used to scope inclusions/exclusions for said policy. You can check via the Entra ID portal, here's the documentation: https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-policies
Thank you for the quick response. My Entra ID portal does show 7 conditional access policies but only one, related to Admins, is specified for MFA enforcement. I appears the policies were built as part of the design but no one was added. I will be doing some more home work on this and I think best practice is to maintain the MFA Users and MFA Exclusion groups as some user have left and others have onboarded.
