Home

Conditional Access vs enable MFA

%3CLINGO-SUB%20id%3D%22lingo-sub-661209%22%20slang%3D%22en-US%22%3EConditional%20Access%20vs%20enable%20MFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-661209%22%20slang%3D%22en-US%22%3E%3CP%3EI've%20started%20testing%20MFA%20within%20our%20org.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20created%20a%20conditional%20access%20policy%20with%20access%20controls%20of%20MFA%20or%20hybrid%20AD%20joined.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20when%20I%20look%20at%20MFA%20through%20the%20o365%20portal%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Faccount.activedirectory.windowsazure.com%2FUserManagement%2FMultifactorVerification.aspx%3F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Faccount.activedirectory.windowsazure.com%2FUserManagement%2FMultifactorVerification.aspx%3F%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eit%20shows%20none%20of%20my%20users%20enabled%20for%20MFA.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20assume%20I%20should%20continue%20with%20the%20conditional%20access%20not%20just%20enabling%20MFA%20through%20the%20o365%20portal%20because%20CA%20gives%20me%20more%20control.%26nbsp%3B%20Will%20using%20CA%20for%20my%20admins%20accounts%20increase%20my%20Microsoft%20security%20score%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-661209%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-661248%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20vs%20enable%20MFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-661248%22%20slang%3D%22en-US%22%3E%3CP%3EThat's%20the%20expected%20behavior.%20If%20you%20enable%20it%20via%20the%20MFA%20page%2C%20it%20will%20always%20require%20MFA%2C%20the%20only%20exception%20being%20users%20logging%20from%20%22trusted%20IPs%22.%20So%20it's%20a%20good%20way%20to%20have%20an%20%22always%20on%22%20configuration%20for%20your%20most%20sensitive%20users.%20If%20you%20want%20flexibility%2Fbetter%20customization%2C%20use%20CA%20policies%20-%20this%20is%20the%20recommended%20method%20nowadays.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-661448%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20vs%20enable%20MFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-661448%22%20slang%3D%22en-US%22%3Ethank%20you%2C%20do%20you%20know%20if%20using%20conditional%20access%20counts%20toward%20the%20security%20score%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-663365%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20vs%20enable%20MFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-663365%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20score%20is%20just%20and%20arbitrary%20number%2C%20the%20important%20thing%20is%20the%20action%20not%20whether%20it%20increases%20the%20score%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-668498%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20vs%20enable%20MFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-668498%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAre%20you%20aware%20of%20any%20instructions%20for%20converting%20from%20cloud%20only%20%22enable%20MFA%22%20to%20cloud%20only%20%22Conditional%20Access%20MFA%22%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-Neil%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-670416%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20vs%20enable%20MFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-670416%22%20slang%3D%22en-US%22%3E%3CP%3EIt's%20as%20simple%20as%20toggling%20the%20settings%20in%20the%20MFA%20portal%20and%20configuring%20a%20CA%20Policy.%20Personally%2C%20I%20still%20run%20with%20both%20MFA%20and%20CA%20configured%2C%20I've%20simply%20added%20an%20exception%20(trusted%20IPs)%20to%20my%20MFA%20config.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-679581%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20vs%20enable%20MFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-679581%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F98103%22%20target%3D%22_blank%22%3E%40Neil%20Goldstein%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3EOne%20advantage%20of%20using%20just%20CA%20policies%3A%20User%20won't%20have%20to%20set%20up%20App%20Passwords%20for%20Legacy%20Apps.%20I%20think%20iirc%2C%20App%20Passwords%20are%20required%20if%20you%20use%20Enable%20MFA%20for%20apps%20like%20Outlook%20and%20Skype%2C%20even%20PowerShell...%20make%20sure%20one%20account%20doesn't%20have%20MFA%20enable%20just%20in%20case%20there%20is%20another%20MFA%20outage%20(follow%20best%20practice%20for%20non-MFA%20account%2C%20i.e.%20setup%20CA%20policy%20for%20trusted%20IPs%20only).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAdditionally%2C%20you'd%20want%20to%20create%20a%20few%20CA%20policies%20to%20avoid%20compromise%20accounts...%20yes%2C%20it%20is%20nice%20not%20to%20deal%20with%20App%20Passwords%2C%20but%20then%20attackers%20can%20use%20Outlook%20to%20login%20as%20bypass%20to%20MFA.%20So%20set%20CA%20policies%20for%20that%2C%20like%20block%20if%20sign%20in%20is%20from%20high%20risk%20location%2Fcountries%20or%20not%20included%20in%20trusted%20IP%2Flocation.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Jason Benway
Contributor

I've started testing MFA within our org.

 

I created a conditional access policy with access controls of MFA or hybrid AD joined.

 

But when I look at MFA through the o365 portal 

https://account.activedirectory.windowsazure.com/UserManagement/MultifactorVerification.aspx?

 

it shows none of my users enabled for MFA.

 

I assume I should continue with the conditional access not just enabling MFA through the o365 portal because CA gives me more control.  Will using CA for my admins accounts increase my Microsoft security score?

6 Replies

That's the expected behavior. If you enable it via the MFA page, it will always require MFA, the only exception being users logging from "trusted IPs". So it's a good way to have an "always on" configuration for your most sensitive users. If you want flexibility/better customization, use CA policies - this is the recommended method nowadays.

thank you, do you know if using conditional access counts toward the security score?

The score is just and arbitrary number, the important thing is the action not whether it increases the score :)

@Vasil Michev 

 

Are you aware of any instructions for converting from cloud only "enable MFA" to cloud only "Conditional Access MFA"?

 

Thanks!

 

-Neil

It's as simple as toggling the settings in the MFA portal and configuring a CA Policy. Personally, I still run with both MFA and CA configured, I've simply added an exception (trusted IPs) to my MFA config.

@Neil Goldstein 
One advantage of using just CA policies: User won't have to set up App Passwords for Legacy Apps. I think iirc, App Passwords are required if you use Enable MFA for apps like Outlook and Skype, even PowerShell... make sure one account doesn't have MFA enable just in case there is another MFA outage (follow best practice for non-MFA account, i.e. setup CA policy for trusted IPs only).

 

Additionally, you'd want to create a few CA policies to avoid compromise accounts... yes, it is nice not to deal with App Passwords, but then attackers can use Outlook to login as bypass to MFA. So set CA policies for that, like block if sign in is from high risk location/countries or not included in trusted IP/location.

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
30 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies