Forum Discussion
Solved
Microsoft 365 licensing for MFA seems to be one big joke?
I think licensing for M365 MFA is one big joke from Microsoft in these days. Let me explain: Let's say in our organization we have 100 users. We have 50 users with MS Entra ID Premium P1 licenses....
- Hi!
Per-User MFA is like you said included in the regular licenses for M365/O365.
The reason that Per-User MFA works alongside with Conditional access is because Per-User MFA enforces MFA every time an authentication happens (except during the token lifetime of course)
And if you exlude your per-user MFA users from any conditional access policies, those will never apply and therefore Per-User MFA is applied.
I dont really have any documentation to give you on this statement rather than my hands-on knowledge with this specific setup
The reason however why Microsoft documentation tells you to turn of per-user MFA when using Conditional Access is becuase they would cancel eachother out and cause a conflict. So a rule of thumb is to not mix them. Another reason for the statement to move away from per-user MFA is because Microsoft will deprecate that very soon.
I would recommend that you either
1: Buy Premium1 licenses for all user accounts
2: Dont use Conditional access and apply security defaults instead to cover all users without the need of an extra license.
3: Mix CA policies and Per-User MFA
Hope this helps, and also I understand your frustration in the licensemodel. It has it's ups and downs 🙂
Cheers
Oliwer
