Enable MFA for cloud and disable MFA for on-premises

Zajíček Martin 20 Reputation points
2024-09-04T13:28:17.8933333+00:00

Hello,

Within our organization, we utilize both cloud services and on-premises solutions. For example, User 1 accesses cloud-based services such as SharePoint and Exchange, while User 2 exclusively uses on-premises solutions.

We are planning to implement Multi-Factor Authentication (MFA) for all users when signing into cloud services with their work accounts. Consequently, we would like to know if it is possible to require MFA for users like User 1 who access cloud services, while exempting users like User 2 who solely use on-premises solutions. Specifically, is there a way to configure conditional access policies that differentiate between cloud and on-premises service access?

Thank you for your assistance.

SharePoint
SharePoint
A group of Microsoft Products and technologies used for sharing and managing content, knowledge, and applications.
10,797 questions
Microsoft Intune Security
Microsoft Intune Security
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
430 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
5,183 questions
Microsoft Entra
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,062 questions
0 comments No comments
{count} votes

Accepted answer
  1. Sandeep G-MSFT 19,761 Reputation points Microsoft Employee
    2024-09-05T14:16:01.14+00:00

    @Zajíček Martin

    Thank you for posting this in Microsoft Q&A.

    As I understand you want to implement conditional access policy in Entra ID for MFA while accessing any of the cloud services. If user is using on-premises resources, then MFA should not be prompted.

    This is achievable by configuring conditional access policy pointing to specific users.

    You can follow below article to configure this in your environment,

    https://learn.microsoft.com/en-us/entra/identity/authentication/tutorial-enable-azure-mfa

    However, Microsoft has made an announcement couple of months back to improve the security for all users in Azure by enabling MFA for all users.

    Starting in October 15, 2024, enforcement for MFA at sign-in for the Azure portal , Entra portal and Intune portal will roll out gradually to all tenants. This phase will not impact any other Azure clients, such as Azure CLI , Azure PowerShell and IaC tools. This phase is expected to last until March 2025.

    Starting in early 2025, enforcement for MFA at sign-in for Azure Command Line Interface (CLI), Azure PowerShell and Infrastructure as Code (IaC) tools will gradually roll out to all tenants.

    For both phases, Microsoft will notify global admins about the expected enforcement date of your tenant(s) by email and through Azure Service Notifications, 60 days in advance. The countdown for enforcement for your tenant(s) does not begin until you have received this first notification from us. Additionally, we will send out periodic reminders to global admins at a regular cadence between the first notification and the beginning of enforcement for your tenant(s).

    We will also allow a grace period for select customers with use cases where no workarounds are easily available and who need additional time (beyond the start date of enforcement for their tenants) to prepare for the MFA requirement at Azure sign-in. The first notification from us stating the enforcement date for your tenant(s) will also include a link to apply for the grace period. Additional details on customer types, use cases and scenarios that are eligible for grace period will be included in the notification.

    This means any user who is part of Azure will have to go through MFA as second factor authentication if Azure is performing authentication for them.

    i.e; If any user is access any resource and if there authentication authority is Azure, then all those users will be prompted for MFA.

    Let us know if you have any further questions.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.