Migrate users from Office 365 multi factor authentications to Azure conditional accss

Iron Contributor

Hi all,

 

We enabled Office 365 MFA in our organization (We have E1 licensing). We recently discovered that Microsoft enabled for us Azure conditional access where we can let the users work without entering their MFA code every time they are requested.

 

The problems we face are:

  1. The user will need to enter their personal password (issue is mainly for android phones that need app password)
  2. When browsing from a device that isn't compliant with the conditional access for the first time after the migration, the user will be forced to go through the entire MFA wizard even if the phone or application is already registered.

We need a way to migrate our users as smooth as possible with the least user interaction as possible.

As one user told me: "I want to know that when I start my computer it works without me setting up anything"

 

Any help would be appreciated.

11 Replies
Not possible, one of the things with MFA is what you know, they have to setup something that only they know on that device for the MFA setup. Conditional access also is not part of E1, it requires some pretty heavy configuration and is part of Azure AD Premium P1 licensing, same for the expanded apon MFA which is part of that. Here is feature matrix for Azure AD Premium.
https://azure.microsoft.com/en-us/pricing/details/active-directory/

To my knowledge the only MFA you get with Office 365 E1 is the basic built in login MFA.

Well we were able to set up conditional access to some extent, we were able to disable office MFA for a user and set that user with conditional access and it works pretty well.

 

My question is if there is any way to migrate the user to conditional access without a lot of user intervention mainly re-setting the user's second authentication device.

Some things like Azure AD Premium stuff will activate with one license or when a trial is spun up and will stay in the tenant, and just because you can doesn't mean you don't need a license for it ;). You don't want to get stuck in an audit scenario and have Premium features configured with no licenses on your tenant. I'd triple check it before rolling it out with Microsoft / Reseller but pretty sure you need a licenses for any conditional access just to be sure.
The conditional access options are limited, we have 4 options: 1 is required MFA another is device registration and 2 more that I don't remember.
When we found out about it, it was with a certified Microsoft consultant which was shocked as we were.
Because these options are sufficient to our needs, we would like to roll it out.

Your users will always have to be configured for MFA. Depending on your wishes you can define your conditional access but your users need to have their MFA setup. 

While reading your answer I realized that my question should be different:
Is it correct to assume that if I enabled office MFA and afterwards added the user to conditional access the user, the conditional access won't apply and I will have to disable the office MFA in order for conditional access to work. This will force the user to re-set it's authentication device.
So the transition will never go smoothly...

Do you mean Office 365 MFA?

 

Office 365 MFA and Conditional access use the same MFA service, Azure MFA. So if you would enable Conditional Access it will use the same configuration for the users that already have configured their additional authentication. So, since it is the same MFA it should not ask to reset the device setup.

 

 

So if we enabled MFA through Office 365 and than added the user to Azure conditional access this should work? I don't need to do anything else?

Yes. There shouldn't be any issues since it is the same MFA Service.

My question was incomplete in the first place.

Right now our users are needed to enter MFA code every month per Office 365 MFA policy

I want them to use Conditional Access. My policy looks like this:

 

MFA.JPG

 

Here is my problem: If I just add a user to CA the MFA prompt will continue on another Hybrid computer (AzureADPRT is set to YES under SSO state on all domain devices). If I add to CA and disable Office 365 MFA the phone information will be saved but the user will still be prompted for registration.

 

sorry for the confusion...

Well I guess the answer is that the users will have to go through the MFA registration wizard.
FYI, Android users will revert back to email and password without MFA on the built-in email app which is a security hole.