MFA Conditional Access Policy For All Users, Still Showing Non-Compliant in Defender.

Question

Hello,

We currently have three conditional access policies in Entra ID for Multi-Factor Authentication (MFA), and having multiple policies seems redundant. Here's a brief overview of each:

1. Microsoft-Managed Policy: This policy automatically applies to 14 admin roles.
2. All Users Policy: This policy was created for all users in our organization.
3. Admin Roles Policy: This policy targets admin roles not included in the Microsoft-managed policy.

Ideally, I would like to consolidate these into a single policy that covers everyone. I believe the "All Users" policy should suffice for this purpose.

Additionally, Microsoft Defender Exposure Insights has flagged our tenant as "Non-Compliant for MFA," indicating that 36 out of 136 users are not registered for MFA. I suspect these unregistered users are guest invite accounts. The conditional access policy requiring all users should include B2B collaboration guest users and all other guest users.

Can I safely delete the Microsoft-managed conditional access policy and the policy created for admin roles, while retaining only the all-users policy?

Furthermore, what steps are necessary to resolve the compliance issue indicated by Microsoft Defender, which shows 36 users who aren't registered for MFA?

We also have 14 B2B invitations that are marked as "Pending Acceptance," but some of these users have already been added as tenant members and have a user principal name (UPN) associated with them. How is it possible for them to be part of our tenant without accepting the invitation?

Our main goal is to achieve compliance with MFA.

Thank you for your assistance; it is greatly appreciated!

Answer 1

Hello @LM-5132,

Based on your description, I understand that currently you have 3 CA policies configured in your tenant.

1. Microsoft-Managed Policy: This policy automatically applies to 14 admin roles.
2. All Users Policy: This policy was created for all users in our organization.
3. Admin Roles Policy: This policy targets admin roles not included in the Microsoft-managed policy.

Please note that if you have configured All users MFA policy, then all the users in your tenant including all the administrators, all the invited guest users, B2B collaborations users, etc will be included in this All Users MFA policy.

So it is safe to turn off the Microsoft Managed policy which is applicable only for 14 admin roles, as those 14 admin roles will also be included in the All Users MFA policy.

Reference document regarding all the Microsoft Managed policies: Microsoft-Managed Conditional Access Policies for Enhanced Security - Microsoft Entra ID | Microsoft Learn

Please note that to resolve the Non-Compliant for MFA alert indicated by Microsoft Defender, which shows 36 users who aren't registered for MFA, please make sure those 36 users are registered for MFA through Microsoft Authenticator app if they are having mobile devices.

Please note that after completing MFA registration for those 36 users, if those users don't want to use MFA for accessing the Cloud applications, then we can exclude those users from the All Users MFA policy based on the requirement.

Regarding your question, We also have 14 B2B invitations that are marked as "Pending Acceptance," but some of these users have already been added as tenant members and have a user principal name (UPN) associated with them. How is it possible for them to be part of our tenant without accepting the invitation?

Answer:

Before invitation redemption

B2B collaboration user accounts are the result of inviting guest users to collaborate by using the guest users' own credentials. When the invitation is initially sent to the guest user, an account is created in your tenant. This account doesn’t have any credentials associated with it because authentication is performed by the guest user's identity provider. The Identities property for the guest user account in your directory is set to the host's organization domain until the guest redeems their invitation. The user sending the invitation is added as a default value for the Sponsor attribute on the guest user account. In the admin center, the invited user’s profile will show an Invitation state of Pending acceptance. Querying for externalUserState using the Microsoft Graph API will return Pending Acceptance.

After invitation redemption

After the B2B collaboration user accepts the invitation, the Identities property is updated based on the user's identity provider.

• If the B2B collaboration user is using a Microsoft account or credentials from another external identity provider, Identities reflects the identity provider, for example Microsoft Account, google.com, or facebook.com.
• If the B2B collaboration user is using credentials from another Microsoft Entra organization, Identities is ExternalAzureAD.
• For external users who are using internal credentials, the Identities property is set to the host's organization domain. The Directory synced property is Yes if the account is homed in the organization's on-premises Active Directory and synced with Microsoft Entra ID, or No if the account is a cloud-only Microsoft Entra account. The directory sync information is also available via the onPremisesSyncEnabled property in Microsoft Graph.

For more additional information, please refer to the below document for your reference.

B2B guest user properties - Microsoft Entra External ID | Microsoft Learn

I hope this above information provided is helpful. Please feel free to reach out if you have any further questions.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".