Forum Discussion
Microsoft 365 licensing for MFA seems to be one big joke?
I think licensing for M365 MFA is one big joke from Microsoft in these days. Let me explain:
Let's say in our organization we have 100 users. We have 50 users with MS Entra ID Premium P1 licenses. The rest 50 users don't have any MS Entra ID premium license.
Now because we had problems with MFA in past we decided to go to Conditional Access to create our custom login flows to avoid any problems we had.
But because Conditional Access is only for users with Premium license we can use it only for 50 users.
For the rest 50 users we can't use Security Defaults (which were disabled on our tenant since begging of times). We also can't use M365 per-user MFA because MS documentation says so: "You should also turn off per-user MFA after you've configure your policies and settings in Conditional Access."
So overall in this example the only option for us how to get MFA for the rest 50 users is to buy more premium licenses. Yes you can say we don't need MFA for the rest 50 users but let me tell you that's not an option. Certain Microsoft portals requires MFA and they are not accessible for user or through API until you activate MFA for the user! So congratulations Microsoft. You business plan how to get as much money from your tenants is absolutely legendary. This is one big joke...
- Hi!
Per-User MFA is like you said included in the regular licenses for M365/O365.
The reason that Per-User MFA works alongside with Conditional access is because Per-User MFA enforces MFA every time an authentication happens (except during the token lifetime of course)
And if you exlude your per-user MFA users from any conditional access policies, those will never apply and therefore Per-User MFA is applied.
I dont really have any documentation to give you on this statement rather than my hands-on knowledge with this specific setup
The reason however why Microsoft documentation tells you to turn of per-user MFA when using Conditional Access is becuase they would cancel eachother out and cause a conflict. So a rule of thumb is to not mix them. Another reason for the statement to move away from per-user MFA is because Microsoft will deprecate that very soon.
I would recommend that you either
1: Buy Premium1 licenses for all user accounts
2: Dont use Conditional access and apply security defaults instead to cover all users without the need of an extra license.
3: Mix CA policies and Per-User MFA
Hope this helps, and also I understand your frustration in the licensemodel. It has it's ups and downs 🙂
Cheers
Oliwer
- You can use per-user MFA alongside CA policies just fine, ignore that documentation bit.
What? Are you serious?
From Microsoft documentations:
If you use Conditional Access or security defaults, you don't review or enable user accounts using these steps.
Source: https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-userstates
You should also turn off per-user MFA after you've configure your policies and settings in Conditional Access.
Source: https://learn.microsoft.com/en-us/microsoft-365/admin/security-and-compliance/set-up-multi-factor-authentication?view=o365-worldwide
Don't enable or enforce per-user Microsoft Entra multifactor authentication if you use Conditional Access policies.
Source: https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-userstates
Licensing is also very interesting part because per-user MFA is licensed by some considerations which are not visible (don't mention per-user MFA):
Included in Office 365 licensing (See license considerations)
Source: https://learn.microsoft.com/en-us/entra/identity/authentication/concept-mfa-licensing#available-versions-of-azure-ad-multi-factor-authentication
Microsoft documentations, access and licensing is one big joke.- Hi!
Per-User MFA is like you said included in the regular licenses for M365/O365.
The reason that Per-User MFA works alongside with Conditional access is because Per-User MFA enforces MFA every time an authentication happens (except during the token lifetime of course)
And if you exlude your per-user MFA users from any conditional access policies, those will never apply and therefore Per-User MFA is applied.
I dont really have any documentation to give you on this statement rather than my hands-on knowledge with this specific setup
The reason however why Microsoft documentation tells you to turn of per-user MFA when using Conditional Access is becuase they would cancel eachother out and cause a conflict. So a rule of thumb is to not mix them. Another reason for the statement to move away from per-user MFA is because Microsoft will deprecate that very soon.
I would recommend that you either
1: Buy Premium1 licenses for all user accounts
2: Dont use Conditional access and apply security defaults instead to cover all users without the need of an extra license.
3: Mix CA policies and Per-User MFA
Hope this helps, and also I understand your frustration in the licensemodel. It has it's ups and downs 🙂
Cheers
Oliwer
- per-user MFA works even with CA policies. Users without MS Entra ID Premium licenses are not evaluated against conditional access policies.
- Please include MS official sources to support you statement.
