Enabling MFA for accounts of different licence levels

%3CLINGO-SUB%20id%3D%22lingo-sub-1432179%22%20slang%3D%22en-US%22%3EEnabling%20MFA%20for%20accounts%20of%20different%20licence%20levels%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1432179%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20shouldn't%20be%20such%20a%20difficult%20problem%20to%20answer%20but%20it%20is%20proving%20difficult%20for%20me%20to%20find%20out%20a%20definitive%20answer.%3C%2FP%3E%3CP%3EI%20have%20a%20tenant%20with%20a%20few%20thousand%20A5%20level%20licenses%20so%20therefore%20can%20use%20conditional%20access%20MFA%20and%20I%20have%20further%2020K%20or%20so%20A1%20'with%20A5%20student%20use%20benefit'%20licences%20and%20am%20trying%20to%20work%20out%20how%20MFA%20can%20be%20enabled%20for%20all%20of%20them.%20We%20currently%20use%20a%20third%20party%20MFA%20product%20for%20the%20A5%20level%20users%20and%20nothing%20on%20the%20A1%20and%20have%20we%20are%20able%20to%20stop%20using%20the%20third%20party%20product%20to%20use%20MS%20MFA%20instead%20if%20required%2Fbetter.%3C%2FP%3E%3CP%3EFrom%20research%20I%20can%20see%20that%20'security%20defaults'%20would%20enable%20a%20basic%20MFA%20with%20MS%20Authenticator%20for%20A1%20licence%20users%20and%20I%20know%20conditional%20access%20requires%20higher%20level%20(P1%2FP2)%26nbsp%3B%20so%20the%20A5%20licences%26nbsp%3B%20are%20ok%20for%20that%20but%20what%20I%20cannot%20find%20out%20is%20if%20it%20is%20possible%20to%20mix%20the%20two%20types%20of%20MFA%20and%20have%20the%20A1%20(Student)%20users%20use%20security%20defaults%20MFA%20and%20the%20A5%20(Staff%20%2F%20Faculty)%20users%20the%20conditional%20access%20MFA.Ive%20found%20nothing%20that%20address%20a%20mixed%20requirement%20like%20this.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1432179%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAccess%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMFA%20Azure%20and%20Office%20Admin%20Portal%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1432471%22%20slang%3D%22en-US%22%3ERe%3A%20Enabling%20MFA%20for%20accounts%20of%20different%20licence%20levels%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1432471%22%20slang%3D%22en-US%22%3EYou%20can%E2%80%99t%20enable%20MFA%20CA%20and%20Security%20Defaults%20at%20same%20time.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20highly%20recommend%20using%20Security%20Defaults%20especially%20for%20your%20environment%20as%20it%20applies%20with%20gentle%20on%20boarding%20experience%20without%20lot%20of%20noise.%20CA%20MFA%20policies%20are%20classic%2C%20don%E2%80%99t%20recommend%20using%20it.%3CBR%20%2F%3E%3CBR%20%2F%3ECheck%20this%20out%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fpractical365.com%2Fazure-ad%2Fwhat-are-azure-ad-security-defaults-and-should-you-use-them%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fpractical365.com%2Fazure-ad%2Fwhat-are-azure-ad-security-defaults-and-should-you-use-them%2F%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EHope%20this%20helps!%3CBR%20%2F%3EMoe%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1433222%22%20slang%3D%22en-US%22%3ERe%3A%20Enabling%20MFA%20for%20accounts%20of%20different%20licence%20levels%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1433222%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F503735%22%20target%3D%22_blank%22%3E%40Moe_Kinani%3C%2FA%3E%26nbsp%3B%20thanks%20Moe%20%2C%20ive%20read%20the%20article%20and%20it%20has%20lots%20of%20useful%20info%20but%20im%20still%20not%20completely%20clear%20on%20a%20few%20things%3C%2FP%3E%3CP%3E-%26nbsp%3B%20it%20seems%20it%20is%20not%20possible%20to%20use%20security%20defaults%20for%20the%20just%20E1%2FA1%20users%20and%20CA%20for%20E5%2FA5%20users%20as%20it%20is%20a%20blanket%20setting%20across%20the%26nbsp%3B%20tenant%20BUT%20does%20that%20apply%20to%20all%20conditional%20access%20policies%20or%20just%20CA%20policies%20that%20pertain%20to%20MFA%3F%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E-%20is%20there%20any%20way%20to%20omit%20certain%20users%2C%20like%20service%20accounts%20or%20other%20users%20that%20couldnt%20interact%20with%20MFA%3F%3C%2FP%3E%3CP%3EThe%20old%20baseline%20security%20policies%20method%20used%20to%20have%20the%20ability%20to%20exclude%20users%20(but%20that%20was%20removed%20last%20year)%2C%20it%20seems%20crazy%20to%20have%20a%20tenant%20wide%20setting%20like%20this%20%26amp%3B%20security%20defaults%20without%20any%20degree%20of%20exclusions%20allowed.%20It%20essentially%20means%20it%20is%20only%20really%20useful%20for%20smaller%20organizations%20with%20less%20complex%20environments%20yet%20very%20large%20organizations%26nbsp%3B%20would%20like%20be%20in%20more%20need%20of%20something%20like%20this%20but%20couldnt%20justify%20the%20expense%20of%20upgrading%20licences%20for%20large%20volumes%20of%20users%20just%20for%20a%20single%20feature.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1434163%22%20slang%3D%22en-US%22%3ERe%3A%20Enabling%20MFA%20for%20accounts%20of%20different%20licence%20levels%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1434163%22%20slang%3D%22en-US%22%3ECA%20MFA%20only%20overlaps%20with%20Security%20default%2C%20you%20can%20still%20use%20CA%20after%20enabling%20Security%20Defaults.%3CBR%20%2F%3E%3CBR%20%2F%3EMake%20sure%20all%20your%20service%20accounts%20are%20ready%20for%20MFA%20and%20also%20make%20sure%20you%20don%E2%80%99t%20have%20accounts%20using%20Legacy%20Authentication%20before%20enabling%20Security%20Defaults.%3CBR%20%2F%3E%3CBR%20%2F%3EAs%20mentioned%20in%20the%20article%2C%20if%20you%20have%20your%20PCs%20configured%20correctly%2C%20your%20on%20boarding%20process%20will%20go%20very%20smoothly.%3CBR%20%2F%3E%3CBR%20%2F%3EBaseline%20Security%20policies%20are%20classic%20and%20going%20to%20be%20deprecated%20soon%2C%20it%20has%20alot%20of%20noice%20when%20enabled%2C%20I%20remember%20it%20broke%20my%20ADConnect%20client%20when%20enabled%20few%20years%20ago.%3CBR%20%2F%3E%3CBR%20%2F%3EDo%20your%20preparation%2C%20use%20Azure%20AD%20Sign%20Logs%20to%20have%20better%20picture.%20Otherwise%20you%20have%20to%20enable%20MFA%20manually%20for%20each%20user%20which%20isn%E2%80%99t%20good%20practice%20for%20your%20environment.%3CBR%20%2F%3E%3CBR%20%2F%3EMoe%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1441487%22%20slang%3D%22en-US%22%3ERe%3A%20Enabling%20MFA%20for%20accounts%20of%20different%20licence%20levels%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1441487%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F503735%22%20target%3D%22_blank%22%3E%40Moe_Kinani%3C%2FA%3E%26nbsp%3B%20ok%20thats%20interesting%20so%20in%20theory%20we%20could%20have%20all%20the%201000s%20of%20A1%20licences%20(students)%20with%20MFA%20required%20due%20to%20security%20defaults%20and%20for%20staff%20A5%20utilize%20CA%20settings%20to%20have%20MFA%20forced%20and%20other%20CA%20policies%20where%20required%20correct%3F%20That%20could%20work%20for%20us%20-%20I%20will%20have%20to%20look%20into%20it%20and%20test%20further%20when%20I%20get%20a%20chance%20(a%20few%20more%20urgent%20things%20currently%20to%20sort%20first)%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Contributor

This shouldn't be such a difficult problem to answer but it is proving difficult for me to find out a definitive answer.

I have a tenant with a few thousand A5 level licenses so therefore can use conditional access MFA and I have further 20K or so A1 'with A5 student use benefit' licences and am trying to work out how MFA can be enabled for all of them. We currently use a third party MFA product for the A5 level users and nothing on the A1 and have we are able to stop using the third party product to use MS MFA instead if required/better.

From research I can see that 'security defaults' would enable a basic MFA with MS Authenticator for A1 licence users and I know conditional access requires higher level (P1/P2)  so the A5 licences  are ok for that but what I cannot find out is if it is possible to mix the two types of MFA and have the A1 (Student) users use security defaults MFA and the A5 (Staff / Faculty) users the conditional access MFA.Ive found nothing that address a mixed requirement like this.

4 Replies
Highlighted
You can’t enable MFA CA and Security Defaults at same time.

I highly recommend using Security Defaults especially for your environment as it applies with gentle on boarding experience without lot of noise. CA MFA policies are classic, don’t recommend using it.

Check this out:

https://practical365.com/azure-ad/what-are-azure-ad-security-defaults-and-should-you-use-them/

Hope this helps!
Moe
Highlighted

@Moe_Kinani  thanks Moe , ive read the article and it has lots of useful info but im still not completely clear on a few things

-  it seems it is not possible to use security defaults for the just E1/A1 users and CA for E5/A5 users as it is a blanket setting across the  tenant BUT does that apply to all conditional access policies or just CA policies that pertain to MFA?  

- is there any way to omit certain users, like service accounts or other users that couldnt interact with MFA?

The old baseline security policies method used to have the ability to exclude users (but that was removed last year), it seems crazy to have a tenant wide setting like this & security defaults without any degree of exclusions allowed. It essentially means it is only really useful for smaller organizations with less complex environments yet very large organizations  would like be in more need of something like this but couldnt justify the expense of upgrading licences for large volumes of users just for a single feature.

CA MFA only overlaps with Security default, you can still use CA after enabling Security Defaults.

Make sure all your service accounts are ready for MFA and also make sure you don’t have accounts using Legacy Authentication before enabling Security Defaults.

As mentioned in the article, if you have your PCs configured correctly, your on boarding process will go very smoothly.

Baseline Security policies are classic and going to be deprecated soon, it has alot of noice when enabled, I remember it broke my ADConnect client when enabled few years ago.

Do your preparation, use Azure AD Sign Logs to have better picture. Otherwise you have to enable MFA manually for each user which isn’t good practice for your environment.

Moe
Highlighted

@Moe_Kinani  ok thats interesting so in theory we could have all the 1000s of A1 licences (students) with MFA required due to security defaults and for staff A5 utilize CA settings to have MFA forced and other CA policies where required correct? That could work for us - I will have to look into it and test further when I get a chance (a few more urgent things currently to sort first)