Conditional Access, MFA and having it all set up via best practices

Copper Contributor

I inherited a M365 environment and trying to hash everything out.  I came from a previous Google environment where there was only one way to set something up, so my brain is adjusting.  

 

MFA is currently enforced via a conditional access policy.  I would like to move towards passwordless phishing resistant MFA but I don't want to "break" something.  I see the CA policy enabled, but nothing in Entra is enabled for MFA.  I also see per user MFA disabled.  So if I go and enable MFA in Entra, will it conflict with the existing setup and potentially cause login issues?  Or does the new MFA in Entra override everything?  To add, under authentication methods, everything is OFF except for Email OTP, but obviously MFA is on and working.  Is this something where M365 is running the show and nothing is setup in Azure?  It's a bit confusing how I see the same settings in different locations and where they can both be enabled with conflicting settings. 

 

I would like to have everything setup with best practices and that seems to be passwordless phishing resistant MFA, but I also don't want to cause critical issues moving over to that.  

 

Thanks for the help.

2 Replies
If you already have CA policies setup as expected (i.e. users are prompted to register the desired MFA methods and prompted to do MFA where needed), you can simply "upgrade" the policy to require specific methods via the so-called auth strength control: https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-strengths
The article also explains how the other settings relate to said control. The biggest challenge would be making sure the users have a phish-resistant method registered, as if you enforce this requirement via CA policies, users with no valid method registered will end up with blocked access.