- last edited on
We enabled Office 365 MFA in our organization (We have E1 licensing). We recently discovered that Microsoft enabled for us Azure conditional access where we can let the users work without entering their MFA code every time they are requested.
The problems we face are:
We need a way to migrate our users as smooth as possible with the least user interaction as possible.
As one user told me: "I want to know that when I start my computer it works without me setting up anything"
Any help would be appreciated.
12-17-2018 12:17 PM
12-17-2018 12:59 PM
Well we were able to set up conditional access to some extent, we were able to disable office MFA for a user and set that user with conditional access and it works pretty well.
My question is if there is any way to migrate the user to conditional access without a lot of user intervention mainly re-setting the user's second authentication device.
12-17-2018 01:05 PM
12-17-2018 01:19 PM
12-17-2018 08:56 PM
Your users will always have to be configured for MFA. Depending on your wishes you can define your conditional access but your users need to have their MFA setup.
12-17-2018 09:11 PM
12-17-2018 09:14 PM
Do you mean Office 365 MFA?
Office 365 MFA and Conditional access use the same MFA service, Azure MFA. So if you would enable Conditional Access it will use the same configuration for the users that already have configured their additional authentication. So, since it is the same MFA it should not ask to reset the device setup.
12-17-2018 10:22 PM
So if we enabled MFA through Office 365 and than added the user to Azure conditional access this should work? I don't need to do anything else?
12-18-2018 05:34 AM
Yes. There shouldn't be any issues since it is the same MFA Service.
12-20-2018 05:40 AM - edited 12-20-2018 01:12 PM
My question was incomplete in the first place.
Right now our users are needed to enter MFA code every month per Office 365 MFA policy
I want them to use Conditional Access. My policy looks like this:
Here is my problem: If I just add a user to CA the MFA prompt will continue on another Hybrid computer (AzureADPRT is set to YES under SSO state on all domain devices). If I add to CA and disable Office 365 MFA the phone information will be saved but the user will still be prompted for registration.
sorry for the confusion...
12-24-2018 11:54 AM