Home

MFA versus Conditional Access

%3CLINGO-SUB%20id%3D%22lingo-sub-159839%22%20slang%3D%22en-US%22%3EMFA%20versus%20Conditional%20Access%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-159839%22%20slang%3D%22en-US%22%3E%3CP%3EI%E2%80%99m%20trying%20to%20figure%20out%20is%20how%20Azure%20MFA%20(set%20on%20a%20user)%20and%20Conditional%20Access%20(set%20by%20policy)%20play%20together.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EDoes%20one%20trump%20the%20other%3F%20Does%20Conditional%20Access%20%E2%80%9Cextend%E2%80%9D%20the%20capabilities%20of%20Basic%20MFA%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESpecifically%2C%20I%20want%20to%20require%20app%20passwords%20100%25%20of%20the%20time%2C%20and%20then%20use%20conditional%20access%20rules%20to%20bypass%20MFA%20for%20apps%20using%20Modern%20Auth%20based%20on%20the%20conditions%20(more%20than%20just%20IP%20range).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESo%20far%20I%20have%20been%20unable%20to%20do%20any%20Conditional%20Access%20on%20things%20like%20IOS%20email%20or%20Gmail%20app.%20It%20seems%20app%20passwords%20arent%20available%20for%20Conditional%20Access%20policies.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20I%20disable%20MFA%20(set%20on%20a%20user)%2C%20and%20then%20create%20a%20Conditional%20Access%20policy%2C%20the%20policy%20ONLY%20works%20on%20authentications%20that%20use%20Modern%20Authentication.%20CA%20policies%20dont%20apply%20to%20ActiveSync%20(%3F)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20I%20enforce%20MFA%20(set%20on%20a%20user)%2C%20then%20it%20doesnt%20seem%20the%20exceptions%20I%20set%20in%20Conditional%20Access%20are%20working%2C%20because%20MFA%20is%20trumping%20Conditional%20Access%20(%3F)%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-159839%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAccess%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EEMS%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%20Management%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-163941%22%20slang%3D%22en-US%22%3ERe%3A%20MFA%20versus%20Conditional%20Access%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-163941%22%20slang%3D%22en-US%22%3E%3CP%3ENo.%20It's%20detailed%20in%20this%20article%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Factive-directory-conditional-access-no-modern-authentication%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Factive-directory-conditional-access-no-modern-authentication%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-163909%22%20slang%3D%22en-US%22%3ERe%3A%20MFA%20versus%20Conditional%20Access%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-163909%22%20slang%3D%22en-US%22%3ESo%20is%20there%20a%20way%20to%20100%25%20block%20native%20email%20client%20access%20and%20scripting%20access%20(like%20PowerShell)%20using%20only%20Conditional%20Access%20(not%20plain%20Azure%20MFA)%3F%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-162471%22%20slang%3D%22en-US%22%3ERe%3A%20MFA%20versus%20Conditional%20Access%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-162471%22%20slang%3D%22en-US%22%3E%3CP%3EMy%20personal%20opinion%20is%20to%20go%20with%20the%20more%20secure%20option%20-%20enforce%20MFA%20and%20*disable*%20app%20passwords.%20As%20mentioned%20above%2C%20there%20are%20email%20clients%2Fapps%20with%20support%20for%20Modern%20auth%20on%20every%20platform%20nowadays%2C%20so%20that%20should%20not%20be%20a%20stopper.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-162425%22%20slang%3D%22en-US%22%3ERe%3A%20MFA%20versus%20Conditional%20Access%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-162425%22%20slang%3D%22en-US%22%3E%3CP%3EIt%20looks%20like%20CA%20and%20MFA%20wont%20work%20together%20to%20make%20my%20desired%20scenario%20work.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMFA%20100%25%20of%20the%20time%20on%20things%20that%20use%20legacy%20auth%3C%2FP%3E%0A%3CP%3EConditional%20MFA%20on%20things%20that%20use%20modern%20auth%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHaving%20protection%20against%20things%20like%20PowerShell%20is%20also%20going%20to%20be%20preferred.%26nbsp%3B%26nbsp%3BIf%20I%20users%20credentials%20get%20compromised%2C%20i'm%20going%20to%20assume%20%3CEM%3Emost%3C%2FEM%3E%20hackers%20arent%20just%20gonna%20stroll%20right%20up%20to%20OWA%20to%20try%20and%20use%20it.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-160623%22%20slang%3D%22en-US%22%3ERe%3A%20MFA%20versus%20Conditional%20Access%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-160623%22%20slang%3D%22en-US%22%3E%3CP%3EApp%20passwords%20are%20bad%2C%20don't%20use%20them.%20They%20are%20doing%20the%20opposite%20of%20what%20MFA%2FCA%20does%2C%20and%20you%20should%20have%20some%20serious%20discussions%20with%20the%20powers%20that%20be%2C%20before%20going%20down%20that%20rabbit%20hole.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI'm%20assuming%20the%20issue%20here%20is%20making%20sure%20users%20are%20still%20able%20to%20access%20their%20email%20on%20a%20mobile%2C%20after%20switching%20on%20MFA%3F%20The%20latest%20iOS%20client%20should%20support%20Modern%20auth%2C%20thus%20MFA%2Fconditional%20access%20will%20work.%20The%20Outlook%20app%20on%20every%20mobile%20platform%20also%20support%20it.%20So%20there%20should%20be%20at%20least%20one%20option%20available.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOr%2C%20you%20can%20just%20use%20CA%20in%20an%20opposite%20fashion%20-%20ask%20for%20MFA%20only%20when%20not%20using%20ActiveSync.%20And%20yes%2C%20enforcing%20it%20on%20the%20user%20level%20will%20always%20trigger%20it%2C%20regardless%20of%20what%20you%20have%20configured%20for%20CA%20(by%20%22enforcing%22%20I%20mean%20the%20corresponding%20option%20in%20the%20MFA%20portal).%20This%20is%20the%20more%20secure%20option%2C%20as%20apart%20from%20ActiveSync%2C%20CA%20will%20not%20trigger%20for%20anything%20that%20uses%20legacy%20auth%2C%20as%20you%20have%20already%20noted.%20Including%20the%20MSOnline%20PowerShell%20module%20for%20example.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20case%20you%20really%2C%20really%2C%20really%26nbsp%3Bneed%20to%20use%20some%20app%20that%20does%20not%20support%20Modern%20auth%2C%20you%20can%20now%20use%20cert-based%20auth%20as%20additional%20level%20of%20protection.%20Assuming%20you%20have%20AD%20FS%20that%20is.%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Factive-directory-certificate-based-authentication-get-started%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Factive-directory-certificate-based-authentication-get-started%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-159991%22%20slang%3D%22en-US%22%3ERE%3A%20MFA%20versus%20Conditional%20Access%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-159991%22%20slang%3D%22en-US%22%3EI%20agree%20with%20Pablo%2C%20i%20two%20have%20been%20down%20this%20road.%20CA%20is%20Limited%20to%20Modern%20authentication%20and%20Active%20sync%20does%20not%20trigger%20CA%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-159863%22%20slang%3D%22en-US%22%3ERe%3A%20MFA%20versus%20Conditional%20Access%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-159863%22%20slang%3D%22en-US%22%3EMaybe%20you%20need%20to%20get%20Intune%20into%20play%3A%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fblogs.technet.microsoft.com%2Fconfigmgrdogs%2F2016%2F11%2F02%2Frestrict-iosandroid-e-mail-to-outlook-using-conditional-access-for-mam%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fblogs.technet.microsoft.com%2Fconfigmgrdogs%2F2016%2F11%2F02%2Frestrict-iosandroid-e-mail-to-outlook-using-conditional-access-for-mam%2F%3C%2FA%3E%3CBR%20%2F%3EMFA%20enforced%20will%20not%20accept%20any%20CA%2C%20and%20AFAIK%20yes%2C%20you%20need%20modern%20authentication%20for%20app%20based%20CA%3C%2FLINGO-BODY%3E
Brent Ellis
Valued Contributor

I’m trying to figure out is how Azure MFA (set on a user) and Conditional Access (set by policy) play together.

 

Does one trump the other? Does Conditional Access “extend” the capabilities of Basic MFA?

 

Specifically, I want to require app passwords 100% of the time, and then use conditional access rules to bypass MFA for apps using Modern Auth based on the conditions (more than just IP range).

 

So far I have been unable to do any Conditional Access on things like IOS email or Gmail app. It seems app passwords arent available for Conditional Access policies.

 

If I disable MFA (set on a user), and then create a Conditional Access policy, the policy ONLY works on authentications that use Modern Authentication. CA policies dont apply to ActiveSync (?)

 

If I enforce MFA (set on a user), then it doesnt seem the exceptions I set in Conditional Access are working, because MFA is trumping Conditional Access (?)

7 Replies
Maybe you need to get Intune into play:
https://blogs.technet.microsoft.com/configmgrdogs/2016/11/02/restrict-iosandroid-e-mail-to-outlook-u...
MFA enforced will not accept any CA, and AFAIK yes, you need modern authentication for app based CA
I agree with Pablo, i two have been down this road. CA is Limited to Modern authentication and Active sync does not trigger CA

App passwords are bad, don't use them. They are doing the opposite of what MFA/CA does, and you should have some serious discussions with the powers that be, before going down that rabbit hole.

 

I'm assuming the issue here is making sure users are still able to access their email on a mobile, after switching on MFA? The latest iOS client should support Modern auth, thus MFA/conditional access will work. The Outlook app on every mobile platform also support it. So there should be at least one option available.

 

Or, you can just use CA in an opposite fashion - ask for MFA only when not using ActiveSync. And yes, enforcing it on the user level will always trigger it, regardless of what you have configured for CA (by "enforcing" I mean the corresponding option in the MFA portal). This is the more secure option, as apart from ActiveSync, CA will not trigger for anything that uses legacy auth, as you have already noted. Including the MSOnline PowerShell module for example.

 

In case you really, really, really need to use some app that does not support Modern auth, you can now use cert-based auth as additional level of protection. Assuming you have AD FS that is. https://docs.microsoft.com/en-us/azure/active-directory/active-directory-certificate-based-authentic...

It looks like CA and MFA wont work together to make my desired scenario work.

 

MFA 100% of the time on things that use legacy auth

Conditional MFA on things that use modern auth

 

Having protection against things like PowerShell is also going to be preferred.  If I users credentials get compromised, i'm going to assume most hackers arent just gonna stroll right up to OWA to try and use it.

 

My personal opinion is to go with the more secure option - enforce MFA and *disable* app passwords. As mentioned above, there are email clients/apps with support for Modern auth on every platform nowadays, so that should not be a stopper.

So is there a way to 100% block native email client access and scripting access (like PowerShell) using only Conditional Access (not plain Azure MFA)?

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
35 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies