Conditional Access: Force users to enable MFA

JEsders 20 Reputation points
2023-09-28T14:28:10.0166667+00:00

Hello,

we're using conditional access to enroll MFA to our customers. Usually we exclude their public IPs not to enforce MFA authentication to not bother the users when in a secure environment.

The problem we have with that is, that some users never use online services outside of the organization network, so maybe they never even activate MFA on their account what makes it easy for a attacker to activate for himself, because he will be prompted to do so.

Is there a way to:

  • disable the need of MFA within the organization BUT
  • enable the need to activate at least one method so the account is secured for external access?

Or is there a way to disable the possibility to activate new authentication methods outside of our own networks?

The other way would be, to disallow login for all users from outside the organization and only enable it for users that really need it. But thats a administrative expense for sure...

What are your opinions?

Thanks in advance

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,675 questions
{count} votes

Accepted answer
  1. Harpreet Singh Matharoo 8,106 Reputation points Microsoft Employee
    2023-09-29T09:04:17.7833333+00:00

    Hello @JEsders

    Thank you for reaching out. I understand you would like to have all users register for MFA. This can be achieved by using Microsoft Entra ID Protection MFA registration policy. Microsoft Entra ID Protection helps you manage the roll-out of Microsoft Entra multifactor authentication registration by configuring a Conditional Access policy to require MFA registration no matter what modern authentication app you're signing in to.

    Steps for Policy configuration:

    1. Sign in to the Microsoft Entra admin center as at least a Security Administrator
    2. Browse to Protection > Identity Protection > MFA registration policy.
      1. Under Assignments > Users
          1. Under **Include**, select **All users** or **Select individuals and groups** if limiting your rollout.
        
                1. Under **Exclude**, select **Users and groups** and choose your organization's emergency access or break-glass accounts.
        
    3. Enforce Policy - On
    4. Save

    More details available on: https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-configure-mfa-policy

    I hope this helps and hence would request you to please "Accept the answer" if the information helped you. This will help us and others in the community as well.


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.