Conditional Access for All Users versus a specific user group

asked 2021-04-12T08:59:42.913+00:00
Leo Johnson 151 Reputation points

Hi y'all,

At the moment, we are in a very heated discussion with our Managed Service Provider.

They are setting up Conditional Access for us, but they are using a user group in Azure AD.

So we asked: Why not on All Users, and working with exclusions?

Our MSP told us working with groups instead of the All Users groups bring more flexibility.

But in our opinion working with a separate user group brings more administration and more risk of forgetting enforcing Conditional Access.

Could someone end this discussion and give us some advice?

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
12,566 questions
Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,132 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
2,067 questions
No comments
{count} votes

4 answers

Sort by: Most helpful
  1. answered 2021-04-12T11:55:58.86+00:00
    AmanpreetSingh-MSFT 55,166 Reputation points

    Hi @Leo Johnson · Thank you for reaching out.

    There is no right or wrong approach here. However, if feasible, when adding users to a policy or some sort of Access control lists, the suggestion is to always go with groups rather than adding individual users. That way help desk can be leveraged to control the access without needing to grant them admin privileges to manage Conditional Access Policies or requiring engagement of admin to update the policies.

    Also, the conditional access policies won't be required to update each time a user account gets created or required to be added to the policy. Adding a user to the group (in scope of the policy) will apply the CA Policy to the user.

    Microsoft provides what-if tool in the azure portal, So, figuring out which policy will apply to a given user or application and what conditions will apply is not a challenge.


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

  2. answered 2021-04-13T08:48:36.243+00:00
    Cici Wu-MSFT 1,166 Reputation points

    I think it depends on your requirements. Let's say that as the administrator, you decide to use Azure AD Conditional Access to require multi-factor authentication (MFA) and limit authentication requests to specific networks or devices. During deployment planning, you realize that not all users can meet these requirements. For example, you may have users who work from remote offices, not part of your internal network. You may also have to accommodate users connecting using unsupported devices while waiting for those devices to be replaced. In short, the business needs these users to sign in and do their job so you exclude them from Conditional Access policies.

    You can refer the following article to see the exclusive scenarios:

    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    No comments

  3. answered 2021-04-26T14:44:31.637+00:00
    Reza Ameri 14,601 Reputation points

    It depends on your requirement and in general it is good idea to enable it for all users but sometimes you might come into complex scenario and difficulty in managing them and one approach would be enable them for specific group or you may setup a group and add users from other groups into it and test it out and when you are confidence you could manage it for all users, then deploy it for all users. You may enable them group by group and observe the behavior.

    No comments

  4. answered 2022-04-08T14:14:34.083+00:00
    Simon Burbery 511 Reputation points

    I agree with you 100%... use a group for enabling MFA during rollout, but always plan to remove the group at the end and set to All Users. It's there as a 'catch all' which is extremely important for MFA.

    Also let's say you use a 'printer' or 'teams-room' account to scan-to-email from an office, restrict them so they can only log in from their location:

    1. Add the office external IP as a Named Location.
    2. Exclude the printer account (or group of accounts) from the MFA policy.
    3. Create a new policy targeted at the account (or group), set to 'Block' then exclude the office 'Named Location'.

    Dynamic groups could also be used to automate membership - for example a group containing 'Members' that are 'Active' could be used as a policy target, reducing the chances of an administration error.

    One reason I prefer adding accounts rather than groups to CA policy exclusions is that you can review who is excluded while in the policy properties without having to go to Azure AD to check the group membership. It also protects from helpdesk admin error of incorrectly adding an account to the exclusion group.

    No comments