Configure Essential Eight MFA conditional access policies
This article provides guidance on configuring the conditional access policy in Microsoft Entra ID to meet the requirements for a given maturity level.
Note
- Do not create any exclusions for the following MFA policies (for example, do not exclude based on location, device state).
- There is a known issue with Windows Licensing activation when MFA is required for the Windows Store for Business application. An interim workaround is to exclude this application from the conditional access policy.
To create the conditional access policy.
- Browse to the Microsoft Entra admin center > Microsoft Entra admin center.
- Select Protection > Conditional access > Create new policy.
- Configure the policy for the required maturity level.
- Set Enable policy to On, select Create.
Maturity Level 1
- Name: ACSC Essential Eight MFA – Maturity Level 1
- Users:
- Include: All users
- Cloud apps:
- Include: All cloud apps
- Conditions: None
- Grant: Require authentication strength
- Select the authentication strength defined for Maturity Level 1 that was created in Configure Essential Eight MFA authentication strengths.
Maturity Levels 2 & 3
- Name: ACSC Essential Eight MFA – Maturity Level 2 & 3
- Users:
- Include: All users
- Cloud apps:
- Include: All cloud apps
- Conditions: None
- Grant: Require authentication strength
- Select the authentication strength defined for maturity levels 2 & 3 that was created in Configure Essential Eight MFA authentication strengths.
Microsoft recommendations
In addition to the maturity level conditional access policies, we recommend implementing the following controls.
Require compliant or hybrid joined devices
Phishing resistance can be achieved at any of the maturity levels by limiting sign-ins to compliant or Microsoft Entra hybrid joined devices (desktop and mobile). This control is recommended for all maturity levels and must be applied to all devices owned by the organization. Where possible, this control should also be applied to bring your own device (BYOD) devices.
Follow this guide to enable requiring a compliant or Microsoft Entra hybrid joined device:
Block legacy authentication
Legacy authentication protocols don't support modern authentication and are therefore vulnerable to credential theft attacks. We recommend blocking legacy authentication protocols to reduce the risk of credential theft attacks.
To block legacy authentication, follow this guide:
Protect against multifactor authentication takeover of dormant accounts
Dormant accounts that aren't registered for multifactor authentication are susceptible to multifactor authentication takeover attacks. We recommend configuring an MFA registration policy to ensure users setup multifactor authentication as part of the user onboarding flow.
Identify dormant accounts that aren't registered for multifactor authentication by regularly reviewing the multifactor authentication registration activity report. An identity governance solution such as Microsoft Entra ID Governance can be used to automate the review of dormant accounts.
- How To: Configure the Microsoft Entra multifactor authentication registration policy -Authentication Methods Activity
Microsoft Entra Security Defaults
Microsoft Entra tenants that don't have a Microsoft Entra ID P1 or P2 license can achieve the ACSC Essential Eight maturity level 1 by enabling Microsoft Entra Security Defaults.
Guidance on enabling Security Defaults is available at Providing a default level of security in Microsoft Entra ID.
Next steps
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for