Conditional access only for specific user

Cezary Koelner 0 Reputation points
2024-03-14T14:53:39.3+00:00

Hello,
I have 50 users with Business Standard licences and one Global Admin account with a Business Premium licence.

I need to disable "persistent browser session" for only one user with (who have Business Standard licence), so that every time he opens shared to him document from sharepoint online he has to perform a 2FA login. Other users should still be able to persistent browser session.

As far as I know, to achieve this I need to enable "conditional access", for which I need to disable "security defaults"

If I understand correctly, such an operation will have an effect on the entire tenant and by disabling the "free" security defaults, I will lose for other users the possibility of using the conditions included in it, such as:

  • Requiring all users to register for multifactor authentication
  • Requiring administrators to do multifactor authentication
  • Requiring users to do multifactor authentication when necessary
  • Blocking legacy authentication protocols
  • Protecting privileged activities like access to the Azure portal

Can I achieve this or a similar effect without having to switch all other Business Standard users to licences containing Entra ID P1 ?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,700 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Andy David - MVP 147.9K Reputation points MVP
    2024-03-14T15:35:46.2366667+00:00

    You can still set per user MFA:

    https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-userstates

    But you wont be able to block basic auth without either enabling security defaults or using a conditional access policy (which requires a P1 for each user who is included in the policy to be compliant)

    Note that Basic auth is blocked in Exchange Online however:

    https://learn.microsoft.com/en-us/entra/identity/conditional-access/block-legacy-authentication


  2. Cezary Koelner 0 Reputation points
    2024-03-15T15:00:02.5366667+00:00

    "... exceptions, such as when they sign in from trusted IP addresses or when the remember MFA on trusted devices feature is turned on..."
    Bez tytułu

    Does this mean that you do not need an Entra P1 to use this and I can use it with Entra Free (Business Standard) ?

    0 comments No comments

  3. Cezary Koelner 0 Reputation points
    2024-03-21T07:40:00.82+00:00

    Anyone ?

    "... exceptions, such as when they sign in from trusted IP addresses or when the remember MFA on trusted devices feature is turned on..." Bez tytułu

    Does this mean that you do not need an Entra P1 to use this and I can use it with Entra Free (Business Standard) ?

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.