Forum Discussion
Migrate MFA server to Entra ID
Hi All,
Is it a must to use conditional access when migrating MFA server to Entra ID? My cu would like to save costs for not buying Entra ID P1/P2 if it is not a requirement.
"Configure Conditional Access policies if needed
If you use Conditional Access to determine when users are prompted for MFA, you shouldn't need to change your policies.
If your federated domain(s) have SupportsMfa set to false, analyze your claims rules on the Microsoft Entra ID relying party trust and create Conditional Access policies that support the same security goals.
After creating Conditional Access policies to enforce the same controls as AD FS, you can back up and remove your claim rules customizations on the Microsoft Entra ID Relying Party."
thanks.
- If you are looking to save costs and are not yet ready to acquire P1/P2 licenses then there is still a way to use hardware token MFA.
You could consider using programmable tokens;
https://deepnetsecurity.com/products/programmable-tokens/
Unlike pre-programmed tokens these can act as a direct 1 for 1 replacement for TOTP authentication apps (such as google authenticator), and therefore this is a viable option if you want a hardware solution for your MFA.
If you are going with a software solution Microsoft have now introduced number matching on the authenticator app (but this will of course only be applicable to the users that agree to run the app on their mobile phone).
