May 05 2021
- last edited on
Jan 14 2022
I have a conditional access policy (currently in report only mode) that will require MFA on all internal users. Microsoft originally instructed me to enabled MFA on all the users via the MFA admin console which were all set to "enforced". Reading up on one of the MS docs, it mentions turning this back off prior to enabling the policy. Can someone help explain why this is necessary? Seems backwards to me.
May 05 2021 09:53 AM
May 05 2021 11:27 PM - edited May 05 2021 11:29 PM
If user-based MFA is enabled, it will override the conditional access policies for that user.
The best practice is to first turn on MFA only through conditional access . You can evaluate the impact of the policies for users by using report only mode then enable it for a limited group of users (pilot) then enable it for all (It can be multiple policies for specific use cases and specific group of people ) . Don't forget to exclude the break glass account and separate policies for admins from those for users.
May 06 2021 05:23 AM