Azure AD recommendation: Convert per-user MFA to Conditional Access MFA

Azure AD recommendations is a feature that provides you with personalized insights and actionable guidance to align your tenant with recommended best practices.

This article covers the recommendation to convert per-user Multi-factor authentication (MFA) accounts to Conditional Access (CA) MFA accounts.


As an admin, you want to maintain security for your company’s resources, but you also want your employees to easily access resources as needed. MFA enables you to enhance the security posture of your tenant.

In your tenant, you can enable MFA on a per-user basis. In this scenario, your users perform MFA each time they sign in, with some exceptions, such as when they sign in from trusted IP addresses or when the remember MFA on trusted devices feature is turned on. While enabling MFA is a good practice, converting per-user MFA to MFA based on Conditional Access can reduce the number of times your users are prompted for MFA.

This recommendation shows up if:

  • You have per-user MFA configured for at least 5% of your users.
  • Conditional Access policies are active for more than 1% of your users (indicating familiarity with CA policies).


This recommendation improves your user's productivity and minimizes the sign-in time with fewer MFA prompts. CA and MFA used together help ensure that your most sensitive resources can have the tightest controls, while your least sensitive resources can be more freely accessible.

Action plan

  1. Confirm that there's an existing CA policy with an MFA requirement. Ensure that you're covering all resources and users you would like to secure with MFA.

  2. Require MFA using a Conditional Access policy.

  3. Ensure that the per-user MFA configuration is turned off.

After all users have been migrated to CA MFA accounts, the recommendation status automatically updates the next time the service runs. Continue to review your CA policies to improve the overall health of your tenant.

Next steps