Forum Discussion
Microsoft 365 licensing for MFA seems to be one big joke?
- Hi!
Per-User MFA is like you said included in the regular licenses for M365/O365.
The reason that Per-User MFA works alongside with Conditional access is because Per-User MFA enforces MFA every time an authentication happens (except during the token lifetime of course)
And if you exlude your per-user MFA users from any conditional access policies, those will never apply and therefore Per-User MFA is applied.
I dont really have any documentation to give you on this statement rather than my hands-on knowledge with this specific setup
The reason however why Microsoft documentation tells you to turn of per-user MFA when using Conditional Access is becuase they would cancel eachother out and cause a conflict. So a rule of thumb is to not mix them. Another reason for the statement to move away from per-user MFA is because Microsoft will deprecate that very soon.
I would recommend that you either
1: Buy Premium1 licenses for all user accounts
2: Dont use Conditional access and apply security defaults instead to cover all users without the need of an extra license.
3: Mix CA policies and Per-User MFA
Hope this helps, and also I understand your frustration in the licensemodel. It has it's ups and downs 🙂
Cheers
Oliwer
What? Are you serious?
From Microsoft documentations:
If you use Conditional Access or security defaults, you don't review or enable user accounts using these steps.
Source: https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-userstates
You should also turn off per-user MFA after you've configure your policies and settings in Conditional Access.
Source: https://learn.microsoft.com/en-us/microsoft-365/admin/security-and-compliance/set-up-multi-factor-authentication?view=o365-worldwide
Don't enable or enforce per-user Microsoft Entra multifactor authentication if you use Conditional Access policies.
Source: https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-userstates
Licensing is also very interesting part because per-user MFA is licensed by some considerations which are not visible (don't mention per-user MFA):
Included in Office 365 licensing (See license considerations)
Source: https://learn.microsoft.com/en-us/entra/identity/authentication/concept-mfa-licensing#available-versions-of-azure-ad-multi-factor-authentication
Microsoft documentations, access and licensing is one big joke.
Per-User MFA is like you said included in the regular licenses for M365/O365.
The reason that Per-User MFA works alongside with Conditional access is because Per-User MFA enforces MFA every time an authentication happens (except during the token lifetime of course)
And if you exlude your per-user MFA users from any conditional access policies, those will never apply and therefore Per-User MFA is applied.
I dont really have any documentation to give you on this statement rather than my hands-on knowledge with this specific setup
The reason however why Microsoft documentation tells you to turn of per-user MFA when using Conditional Access is becuase they would cancel eachother out and cause a conflict. So a rule of thumb is to not mix them. Another reason for the statement to move away from per-user MFA is because Microsoft will deprecate that very soon.
I would recommend that you either
1: Buy Premium1 licenses for all user accounts
2: Dont use Conditional access and apply security defaults instead to cover all users without the need of an extra license.
3: Mix CA policies and Per-User MFA
Hope this helps, and also I understand your frustration in the licensemodel. It has it's ups and downs 🙂
Cheers
Oliwer
- Thank you Oliwer for this answer. I will try to mix CA and per-user MFA then in a safely manner as you described.