MFA required Conditional Access

Iron Contributor

I have a conditional access policy (currently in report only mode) that will require MFA on all internal users.  Microsoft originally instructed me to enabled MFA on all the users via the MFA admin console which were all set to "enforced".  Reading up on one of the MS docs, it mentions turning this back off prior to enabling the policy.  Can someone help explain why this is necessary? Seems backwards to me. 

3 Replies
Because those are two separate sets of controls, and the per-user MFA setting "overrides" the CA policy. In your case, if users are always "enforced" for MFA, conditions such as location, application or group membership will be ignored. Well you do have the option to configure trusted IPs in the old MFA portal, but not the other conditions.

If user-based MFA is enabled, it will override the conditional access policies for that user.
The best practice is to first turn on MFA only through conditional access . You can evaluate the impact of the policies for users by using report only mode then enable it for a limited group of users (pilot) then enable it for all (It can be multiple policies for specific use cases and specific group of people ) . Don't forget to exclude the break glass account and separate policies for admins from those for users.

Got it. Thanks for the replies. I will get this policy enabled then I will go back and disable the "old way" :)