Forum Discussion

PhilRiceUoS's avatar
PhilRiceUoS
Brass Contributor
Jun 01, 2020

Enabling MFA for accounts of different licence levels

This shouldn't be such a difficult problem to answer but it is proving difficult for me to find out a definitive answer.

I have a tenant with a few thousand A5 level licenses so therefore can use conditional access MFA and I have further 20K or so A1 'with A5 student use benefit' licences and am trying to work out how MFA can be enabled for all of them. We currently use a third party MFA product for the A5 level users and nothing on the A1 and have we are able to stop using the third party product to use MS MFA instead if required/better.

From research I can see that 'security defaults' would enable a basic MFA with MS Authenticator for A1 licence users and I know conditional access requires higher level (P1/P2)  so the A5 licences  are ok for that but what I cannot find out is if it is possible to mix the two types of MFA and have the A1 (Student) users use security defaults MFA and the A5 (Staff / Faculty) users the conditional access MFA.Ive found nothing that address a mixed requirement like this.

    • PhilRiceUoS's avatar
      PhilRiceUoS
      Brass Contributor

      Moe_Kinani  thanks Moe , ive read the article and it has lots of useful info but im still not completely clear on a few things

      -  it seems it is not possible to use security defaults for the just E1/A1 users and CA for E5/A5 users as it is a blanket setting across the  tenant BUT does that apply to all conditional access policies or just CA policies that pertain to MFA?  

      - is there any way to omit certain users, like service accounts or other users that couldnt interact with MFA?

      The old baseline security policies method used to have the ability to exclude users (but that was removed last year), it seems crazy to have a tenant wide setting like this & security defaults without any degree of exclusions allowed. It essentially means it is only really useful for smaller organizations with less complex environments yet very large organizations  would like be in more need of something like this but couldnt justify the expense of upgrading licences for large volumes of users just for a single feature.

      • Moe_Kinani's avatar
        Moe_Kinani
        Bronze Contributor
        CA MFA only overlaps with Security default, you can still use CA after enabling Security Defaults.

        Make sure all your service accounts are ready for MFA and also make sure you don’t have accounts using Legacy Authentication before enabling Security Defaults.

        As mentioned in the article, if you have your PCs configured correctly, your on boarding process will go very smoothly.

        Baseline Security policies are classic and going to be deprecated soon, it has alot of noice when enabled, I remember it broke my ADConnect client when enabled few years ago.

        Do your preparation, use Azure AD Sign Logs to have better picture. Otherwise you have to enable MFA manually for each user which isn’t good practice for your environment.

        Moe

Resources