Forum Discussion

Jason Benway's avatar
Jason Benway
Iron Contributor
May 31, 2019

Conditional Access vs enable MFA

I've started testing MFA within our org.

 

I created a conditional access policy with access controls of MFA or hybrid AD joined.

 

But when I look at MFA through the o365 portal 

https://account.activedirectory.windowsazure.com/UserManagement/MultifactorVerification.aspx?

 

it shows none of my users enabled for MFA.

 

I assume I should continue with the conditional access not just enabling MFA through the o365 portal because CA gives me more control.  Will using CA for my admins accounts increase my Microsoft security score?

  • That's the expected behavior. If you enable it via the MFA page, it will always require MFA, the only exception being users logging from "trusted IPs". So it's a good way to have an "always on" configuration for your most sensitive users. If you want flexibility/better customization, use CA policies - this is the recommended method nowadays.

    • Jason Benway's avatar
      Jason Benway
      Iron Contributor
      thank you, do you know if using conditional access counts toward the security score?
      • VasilMichev's avatar
        VasilMichev
        MVP

        The score is just and arbitrary number, the important thing is the action not whether it increases the score :)

    • Neil Goldstein's avatar
      Neil Goldstein
      Iron Contributor

      VasilMichev 

       

      Are you aware of any instructions for converting from cloud only "enable MFA" to cloud only "Conditional Access MFA"?

       

      Thanks!

       

      -Neil

      • VasilMichev's avatar
        VasilMichev
        MVP

        It's as simple as toggling the settings in the MFA portal and configuring a CA Policy. Personally, I still run with both MFA and CA configured, I've simply added an exception (trusted IPs) to my MFA config.

Resources