Conditional Access policy recommendation

Steve Wright 21 Reputation points
2022-10-17T09:17:50.273+00:00

I am looking for recommendations of assigning policies. I want to enforce MFA for most users. If I assign the policy to "All Users" I capture all new users but it will apply to guest accounts and domain accounts for services etc that cannot have MFA. If I create a group and assign most users to it I run the risk that tech staff will 'skip' adding new users to the group leaving a gap in security.

What do you do? Do you create a group that MFA applies to or do you select "All Users" and have a group as an Exclusion with the group containing all the non-MFA accounts.

2nd question: If I do apply it to "All Users" and one of my users shares a folder with an external users (which creates a new guest account) will the new guest account be forced to enroll for MFA just like internal users?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,421 questions
0 comments No comments
{count} votes

Accepted answer
  1. JimmySalian-2011 42,176 Reputation points
    2022-10-17T09:27:38.497+00:00

    Hi Steve,

    Yes that is correct with the option 1 select all users for MFA and apply the ExcludeGroup for MFA containing breakglass account and service accounts, guest accounts.

    Same principles will apply for 2nd Question and you can try the whatif tool on the portal to check the policies and how it will impact before making it live, also turn on Report only.

    More detail steps over here and guidelines - concept-conditional-access-users-groups
    Hope this helps.
    JS

    ==
    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.