MFA User Experience

Question

Hi,

As I can see from a customer tenant they can activate either MFA for everyone or I can select which user should have MFA.

Is there any different in the user experience if I enable per user or if I enable for everyone ?
Someone told me that there might be difference in how applications use MFA if you select individual users, so you should configure security default... any comments regarding this ?

Or select individual

/Regards
Andy

Answer 1

I would not enforce per user in most cases -
User the security defaults or a Conditional Access policy which can give more flexibility.

More info:

https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates

Enabling Azure Multi-Factor Authentication using Conditional Access policies is the recommended approach to protect users. Conditional Access is an Azure AD Premium P1 or P2 feature that lets you apply rules to require MFA as needed in certain scenarios. To get started using Conditional Access, see Tutorial: Secure user sign-in events with Azure Multi-Factor Authentication.
For Azure AD free tenants without Conditional Access, you can use security defaults to protect users. Users are prompted for MFA as needed, but you can't define your own rules to control the behavior.

Answer 2

If you enable security defaults, you wont be able to set any granularity to when users get prompted for MFA. That to me is the biggest limitation and a "different" user experience potentially, - i.e. a lot of orgs want to not require MFA from internal, trusted networks. You wont be able to do that with the current iteration of the Security Defaults. You could also block legacy apps connecting without the ability to create exceptions.

that article I linked mentions those issues.

Answer 3

Hi,

Thanks for reply.
Yes I know Conditional Access would be best, but no license :(
But no comments when it comes to if there is a different user experience if I enable per user or security defaults ?

/regards
Andy