MFA for all users

Question

Hello all

We would like to implement MFA to be applied to all users and all apps. Yes there is a template but following best practice is to eliminate service accounts. We will exclude log ins from trusted locations which might help but the question is this. Is there a quick way to identify service accounts so we can eliminate them?

I noticed MS finally introduced conditional access policy templates and one is for MFA to be applied to all users. Great I thought but not really because you can rarely, if ever, apply to all users with out impact. Yes, you can test before end with such things are reporting but fact is I know it would cause issues, hence my query.

I joined the company recently and there are literally thousands of accounts I would have to look at.

Am I going about this the wrong way? I was thinking about creating an AD group and applying accounts there. Sure, we would need to maintain that member list but I can't think of any other way. What are you all doing to accomplish this? Per MFA and ticking the box?

Answer 1

Hi Testing,

It depends on the requirements and security baseline requirements if your goal is to rollout MFA to all users but need to test / verify for small set of users it is possible and I have seen instances that groups used to slow rollout and test/monitored sessions. If you are concern about issues I will split into different groups for apps, admins, users , locations and implement it. Also read through the scenarios and recommended by Microsoft.

howto-mfa-getstarted

==
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.