Feb 15 2018
- last edited on
Jan 14 2022
I’m trying to figure out is how Azure MFA (set on a user) and Conditional Access (set by policy) play together.
Does one trump the other? Does Conditional Access “extend” the capabilities of Basic MFA?
Specifically, I want to require app passwords 100% of the time, and then use conditional access rules to bypass MFA for apps using Modern Auth based on the conditions (more than just IP range).
So far I have been unable to do any Conditional Access on things like IOS email or Gmail app. It seems app passwords arent available for Conditional Access policies.
If I disable MFA (set on a user), and then create a Conditional Access policy, the policy ONLY works on authentications that use Modern Authentication. CA policies dont apply to ActiveSync (?)
If I enforce MFA (set on a user), then it doesnt seem the exceptions I set in Conditional Access are working, because MFA is trumping Conditional Access (?)
Feb 15 2018 11:57 PM
Feb 16 2018 06:18 AM
Feb 19 2018 03:34 AM
App passwords are bad, don't use them. They are doing the opposite of what MFA/CA does, and you should have some serious discussions with the powers that be, before going down that rabbit hole.
I'm assuming the issue here is making sure users are still able to access their email on a mobile, after switching on MFA? The latest iOS client should support Modern auth, thus MFA/conditional access will work. The Outlook app on every mobile platform also support it. So there should be at least one option available.
Or, you can just use CA in an opposite fashion - ask for MFA only when not using ActiveSync. And yes, enforcing it on the user level will always trigger it, regardless of what you have configured for CA (by "enforcing" I mean the corresponding option in the MFA portal). This is the more secure option, as apart from ActiveSync, CA will not trigger for anything that uses legacy auth, as you have already noted. Including the MSOnline PowerShell module for example.
In case you really, really, really need to use some app that does not support Modern auth, you can now use cert-based auth as additional level of protection. Assuming you have AD FS that is. https://docs.microsoft.com/en-us/azure/active-directory/active-directory-certificate-based-authentic...
Feb 21 2018 09:21 AM
It looks like CA and MFA wont work together to make my desired scenario work.
MFA 100% of the time on things that use legacy auth
Conditional MFA on things that use modern auth
Having protection against things like PowerShell is also going to be preferred. If I users credentials get compromised, i'm going to assume most hackers arent just gonna stroll right up to OWA to try and use it.
Feb 21 2018 10:55 AM
My personal opinion is to go with the more secure option - enforce MFA and *disable* app passwords. As mentioned above, there are email clients/apps with support for Modern auth on every platform nowadays, so that should not be a stopper.
Feb 23 2018 11:50 AM
Feb 23 2018 12:29 PM
No. It's detailed in this article: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-no-moder...