MFA for Azure Portal Login, but NOT for Office 365 Login

Shaun Wilkinson 0

MS are implementing mandatory MFA login for their Entra and Azure Admin Portals. This makes sense.

Can someone tell me how I enable the MFA access for the Azure and other Admin portals BUT decline to enable it for Office 365 applications.

There should be an option that allows for the selection of which apps require MFA and which do not.

Can someone point me towards where they may be done.

Thanks in advance

Navya 10,375 Reputation points Microsoft Vendor

2024-08-23T10:29:30.2233333+00:00

Hi @Shaun Wilkinson

Following up to see if the below answer was helpful. Please remember to "Accept Answer" if answer helped you. This will help us as well as others in the community who might be researching similar questions. if you have any further query do let us know.
Navya 10,375 Reputation points Microsoft Vendor

2024-08-26T02:33:07.3+00:00

Hi @Shaun Wilkinson

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept Answer" and "Up-Vote" for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

1 answer

Navya 10,375 Reputation points Microsoft Vendor

2024-08-20T03:33:05.4266667+00:00
Hi @Shaun Wilkinson

Thank you for posting this in Microsoft Q&A.

I understand that you are looking for a way to configure Multi factor authentication (MFA) for Azure Portal Login, but NOT for Office 365 Login.

To set this up, you'll need to create a conditional access policy that targets the Azure and Admin portals, and then exclude the Office 365 applications from the policy. Here's a step-by-step guide to help you achieve this:

Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.

Browse to Protection > Conditional Access > Policies.

Select New policy.

Give the policy a name, such as "MFA for Azure and Admin Portals".

Under Assignments, select Users or workload identities you want to apply the policy to.

Under Target resources > Cloud apps > Include, select apps >select Microsoft Admin Portals it includes Microsoft 365 admin center, Exchange admin center, Azure portal, Microsoft Entra admin center, and others.

Under Access controls > Grant, select Grant access, require multifactor authentication, and select.

Confirm your settings and set Enable policy to On.

Select Create to create to enable your policy. For your reference: Conditional Access: Target resources

Hope this helps. Do let us know if you any further queries.

Thanks,

Navya.

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Please sign in to rate this answer.
Shaun Wilkinson 0 Reputation points

2024-08-22T00:09:32.2833333+00:00

Hello,

Create New Policy is disabled

What level of permissions as I required to have to Create a policy.

I am in the administrators group.

Shaun Wilkinson 0 Reputation points

2024-08-22T00:13:34.8733333+00:00

The create New Policy is Disabled even though I have admin rights

Navya 10,375 Reputation points Microsoft Vendor

2024-08-22T01:49:43.51+00:00

Hi Shaun Wilkinson

Thank you for following up on this!

Is there a premium P1 or P2 license in your tenant?

Creating a conditional access policy requires a premium P1 or P2 license. If you don't have one, you can enable a trial license. For information on obtaining a free trial, refer to the Microsoft Entra ID P2 Trial

Hope this helps. Do let us know if you any further queries.

Shaun Wilkinson 0 Reputation points

2024-08-22T01:57:43.3033333+00:00

So we have to pay in order to configure what you are now making mandatory?

We office 365 subscribers, we use powerbi and the office suite, we are action pack subscriber and utilise a number of azure services.

Now MS make MFA mandatory and we must pay a P1 or P2 license in order to configure MFA exclusion to office 365 ???

We shouldn't have to use MFA for Office because you are now making it mandatory to use MFA in the portals.

Or are you saying enter a trial, create a policy, leave the trail and the policy remains ?

Navya 10,375 Reputation points Microsoft Vendor

2024-08-22T02:34:33.8333333+00:00

Hi Shaun Wilkinson

MFA can be implemented without the need for premium P1 and P2 licenses. There are two methods to enforce MFA on users:

Security Defaults in Microsoft Entra ID, however this enforces MFA on entire tenant and enforces users to register for MFA. More details on following documentation link: https://learn.microsoft.com/en-us/entra/fundamentals/security-defaults

Alternatively, you can enable per-user Microsoft Entra multifactor authentication to secure sign-in events. This would allow admins to enable MFA for specific users from Legacy MFA portal. You can review following documentation link for more details: https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-userstates

But in the above-mentioned ways, you are not able to achieve your goal, i.e. MFA for Azure Portal Login, but NOT for Office 365 Login. Your goal can be achieved through a conditional policy.

You can activate a trial Premium P1 or P2 license and create a conditional access policy. Any conditional access policy you establish will continue to function even after the trial license expires, but you will not be permitted to create new conditional access policies once the trial has ended.

Shaun Wilkinson 0 Reputation points

2024-08-22T03:30:46.83+00:00

Ok thankyou very much.

But can you tell me (or point me towards) what changes we will we see if I sign up to the P2 Trial you provided a link for ?

I dont wish to jump into the trial and have our users all complaining about the use or accessibility to their products.

Navya 10,375 Reputation points Microsoft Vendor

2024-08-22T10:54:15.0833333+00:00

Hi Shaun Wilkinson

I understand your concern. The Azure Active Directory Premium P2 trial provides additional features and capabilities that are not available in the free version of Azure AD. However, these features may not be necessary for all organizations, and it is important to evaluate whether they are needed before signing up for the trial.

Here are some key changes you can expect:

Conditional access: You'll have more granular control over access to your resources, including conditional access policies based on user and device risk.

Enhanced security features: The P2 trial includes features such as Identity Protection and Privileged Identity Management, which can help you detect and remediate identity-based risks and manage access to important resources in your organization.

Access reviews: The P2 trial includes access review capabilities, which can help you manage access to resources by conducting periodic access reviews.

Azure AD Identity Governance: The P2 trial includes features that can help you manage the lifecycle of identities in your organization by automating tasks such as access requests, approvals, and provisioning.

The following table lists features that are available in Microsoft Entra licensing Hope this helps. Do let us know if you any further queries.

Navya 10,375 Reputation points Microsoft Vendor

2024-08-28T01:50:14.94+00:00

Hi Shaun Wilkinson

Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back. Meanwhile, if the reply is helpful to you, please try to mark it as an answer to help others who encounter the same issue and read this thread. Have a nice day!
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

MFA for Azure Portal Login, but NOT for Office 365 Login

1 answer

Your answer