Forum Discussion

Jason Benway's avatar
Jason Benway
Iron Contributor
May 31, 2019

Conditional Access vs enable MFA

I've started testing MFA within our org.   I created a conditional access policy with access controls of MFA or hybrid AD joined.   But when I look at MFA through the o365 portal  https://accoun...
Azure Active Directory (AAD)
Neil Goldstein's avatar
Neil Goldstein
Iron Contributor
Jun 04, 2019

VasilMichev 

 

Are you aware of any instructions for converting from cloud only "enable MFA" to cloud only "Conditional Access MFA"?

 

Thanks!

 

-Neil

jerome317's avatar
jerome317
Brass Contributor
Jun 09, 2019

Neil Goldstein 
One advantage of using just CA policies: User won't have to set up App Passwords for Legacy Apps. I think iirc, App Passwords are required if you use Enable MFA for apps like Outlook and Skype, even PowerShell... make sure one account doesn't have MFA enable just in case there is another MFA outage (follow best practice for non-MFA account, i.e. setup CA policy for trusted IPs only).

 

Additionally, you'd want to create a few CA policies to avoid compromise accounts... yes, it is nice not to deal with App Passwords, but then attackers can use Outlook to login as bypass to MFA. So set CA policies for that, like block if sign in is from high risk location/countries or not included in trusted IP/location.

Resources