Jun 01 2020
- last edited on
Jul 27 2020
This shouldn't be such a difficult problem to answer but it is proving difficult for me to find out a definitive answer.
I have a tenant with a few thousand A5 level licenses so therefore can use conditional access MFA and I have further 20K or so A1 'with A5 student use benefit' licences and am trying to work out how MFA can be enabled for all of them. We currently use a third party MFA product for the A5 level users and nothing on the A1 and have we are able to stop using the third party product to use MS MFA instead if required/better.
From research I can see that 'security defaults' would enable a basic MFA with MS Authenticator for A1 licence users and I know conditional access requires higher level (P1/P2) so the A5 licences are ok for that but what I cannot find out is if it is possible to mix the two types of MFA and have the A1 (Student) users use security defaults MFA and the A5 (Staff / Faculty) users the conditional access MFA.Ive found nothing that address a mixed requirement like this.
Jun 01 2020 07:26 PM - edited Jun 01 2020 07:28 PM
Jun 02 2020 05:37 AM
@Moe_Kinani thanks Moe , ive read the article and it has lots of useful info but im still not completely clear on a few things
- it seems it is not possible to use security defaults for the just E1/A1 users and CA for E5/A5 users as it is a blanket setting across the tenant BUT does that apply to all conditional access policies or just CA policies that pertain to MFA?
- is there any way to omit certain users, like service accounts or other users that couldnt interact with MFA?
The old baseline security policies method used to have the ability to exclude users (but that was removed last year), it seems crazy to have a tenant wide setting like this & security defaults without any degree of exclusions allowed. It essentially means it is only really useful for smaller organizations with less complex environments yet very large organizations would like be in more need of something like this but couldnt justify the expense of upgrading licences for large volumes of users just for a single feature.
Jun 02 2020 11:33 AM
Jun 04 2020 01:55 PM
@Moe_Kinani ok thats interesting so in theory we could have all the 1000s of A1 licences (students) with MFA required due to security defaults and for staff A5 utilize CA settings to have MFA forced and other CA policies where required correct? That could work for us - I will have to look into it and test further when I get a chance (a few more urgent things currently to sort first)