Enable MFA - Can't create Conditional Access Policy

Michael Pellegrini 0 Reputation points
2024-09-17T04:12:05.3366667+00:00

I'm required to set up multi-factor authentication (MFA) for my Azure subscription. According to the documentation, this requires creating a conditional access policy. When I visit that page in the Azure portal, the button to create a new policy is inactive, even though I'm a global administrator. I can't tell if a premium membership is required. I don't want to pay for a new service just to enable MFA. Can anyone help me resolve this?

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,552 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,812 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Saurabh Sharma 10 Reputation points
    2024-09-17T04:49:39.3833333+00:00

    Hello Michael,

    As per the latest information by Microsoft the implementation of mandatory MFA will be rolled out in phases. The first batch of tenants will receive mandatory MFA on October 15, 2024, and the last batch is expected to receive it by March 15, 2025. Customers who feel they will not be ready by the October 15, 2024, date can request a grace period, which will end on March 15, 2025.

    Check link for better understanding:- https://learn.microsoft.com/en-us/entra/identity/authentication/concept-mandatory-multifactor-authentication

    Over your question you are unable to perform the task below are the recommendation check out the same.

    1. For conditional access policy you should have Premium P2 / P3 license available over Entra ID as this policy feature is not available for free AD.
    2. To achieve the same you have to create a group and apply policy over the same and license cost will be user based.
    3. Alternate method to achieve mfa is you can go ahead with bulk update over entra id.

    Path ==> Entra ID ==> Users ==>Per user mfa ==> Bulk update ==> Download template ==> Update as per your requirement ==> Upload updated csv ==> completed

    User's image

    User's image

    1 person found this answer helpful.
    0 comments No comments

  2. Sandeep G-MSFT 19,196 Reputation points Microsoft Employee
    2024-09-18T06:20:53.5533333+00:00

    @Michael Pellegrini

    Thank you for posting this in Microsoft Q&A.

    As I understand you are unable to create conditional access policy in your tenant.

    Usually, using this feature requires Microsoft Entra ID P1 licenses. To find the right license for your requirements, see Compare generally available features of Microsoft Entra ID.

    If you have Microsoft 365 Business Premium licenses then you will also have access to Conditional Access features.

    Risk-based policies require access to Microsoft Entra ID Protection, which requires P2 licenses.

    Other products and features that interact with Conditional Access policies require appropriate licensing for those products and features.

    If you are worried about the announcement that Microsoft made regarding Enforcing MFA for all users in Azure while accessing Azure portal, then if you don't have P1 licenses still MFA will still work with only option Authenticator app.

    Post October 15th if you have not set up any MFA for users then they will be prompted for MFA and they will have to set up Authenticator app in there phone, using which they can login to Azure portal.

    Let us know if you have any further questions.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.