Forum Discussion
Enabling MFA for accounts of different licence levels
I highly recommend using Security Defaults especially for your environment as it applies with gentle on boarding experience without lot of noise. CA MFA policies are classic, don’t recommend using it.
Check this out:
https://practical365.com/azure-ad/what-are-azure-ad-security-defaults-and-should-you-use-them/
Hope this helps!
Moe
Moe_Kinani thanks Moe , ive read the article and it has lots of useful info but im still not completely clear on a few things
- it seems it is not possible to use security defaults for the just E1/A1 users and CA for E5/A5 users as it is a blanket setting across the tenant BUT does that apply to all conditional access policies or just CA policies that pertain to MFA?
- is there any way to omit certain users, like service accounts or other users that couldnt interact with MFA?
The old baseline security policies method used to have the ability to exclude users (but that was removed last year), it seems crazy to have a tenant wide setting like this & security defaults without any degree of exclusions allowed. It essentially means it is only really useful for smaller organizations with less complex environments yet very large organizations would like be in more need of something like this but couldnt justify the expense of upgrading licences for large volumes of users just for a single feature.
- CA MFA only overlaps with Security default, you can still use CA after enabling Security Defaults.
Make sure all your service accounts are ready for MFA and also make sure you don’t have accounts using Legacy Authentication before enabling Security Defaults.
As mentioned in the article, if you have your PCs configured correctly, your on boarding process will go very smoothly.
Baseline Security policies are classic and going to be deprecated soon, it has alot of noice when enabled, I remember it broke my ADConnect client when enabled few years ago.
Do your preparation, use Azure AD Sign Logs to have better picture. Otherwise you have to enable MFA manually for each user which isn’t good practice for your environment.
MoeMoe_Kinani ok thats interesting so in theory we could have all the 1000s of A1 licences (students) with MFA required due to security defaults and for staff A5 utilize CA settings to have MFA forced and other CA policies where required correct? That could work for us - I will have to look into it and test further when I get a chance (a few more urgent things currently to sort first)
