Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Using MFA and conditional access in the same tenant

Copper Contributor

Hi,

In our 365 tenant we started with using multifactor authentication per user and we applied Azure AD Multi-Factor Authentication for all users.

Subsequently, we created conditional access to impose the use of multi-factor authentication for all for all users.

To create conditional access, we used an Azure AD Premium license which was assigned to only the administrator account.

All other accounts do not have an Azure AD Premium license, they use office 365 business or standard accounts.

My questions are :

Is it necessary to assign an Azure AD Premium license for each user?

Is it correct to keep Azure MFA and Conditional Access running at the same time?

 

Regards

2 Replies
Its recommended to assign Azure AD Premium license for each user but its not necessary as assigning Azure AD premium license to just 1 user will unlock Azure AD premium features for entire tenant.
Microsoft's recommendation is to use Conditional access for MFA, here is the article and PS script to convert users from per-user MFA to Conditional Access based MFA
https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-getstarted#convert...

@MohAbidi   you need P1 license for every users if you also want to have conditional access . 

Conditional access is very critical in today environment to establish a foundation pillar for Zero trust environment .

You can enable MFA even with free edition but it comes with limited functionality and the below table provides what level of details you achieve with each license specifically on MFA 

 

The below article specifically compares licenses w.r.t MFA Azure AD Multi-Factor Authentication versions and consumption plans - Microsoft Entra | Microsoft Le...