How to create a conditional access policy to enable MFA?

What MULTI-FACTOR AUTHENTICATION

Multifactor authentication (MFA) is a security system that requires more than one method of authentication from independent categories of credentials to verify the user’s identity for a login or other transaction.

Multifactor authentication combines two or more independent credentials: what the user knows (password), what the user has (security token) and what the user is (biometric verification). The goal of MFA is to create a layered defense and make it more difficult for an unauthorized person to access a target such as a physical location, computing device, network, or database. If one factor is compromised or broken, the attacker still has at least one more barrier to breach before successfully breaking into the target.

What is Conditional Access?

Conditional access is a set of policy configurations that controls what devices and users can access different applications. Specifically talking about the Microsoft environment, conditional access policies work with Office 365 and other Software-as-a-Service (SaaS) applications configured in Azure Active Directory.

In the simplest term, conditional access policies are if-then statements i.e., if a condition is met, then the necessary action can be taken for that condition. Example: A user wants to access any Office 365 application and is required to perform multi-factor authentication (MFA) to access it.

There are two ways to configure MFA for user

• Set up Multi-factor Authentication in the Microsoft 365 Admin Center

• Create a Conditional Access policy

Prerequisites

• An active Azure subscription with a Global Administrator role.

• At least an Azure AD Premium P1 license

• Three non-administrator test users whose passwords you know.

Set up Multi-factor Authentication in the Microsoft 365 Admin Center

1. In the Admin Center, go to Users > Active users.

2. IMPORTANT: Before you select a user, choose More (...) > Setup Azure multi-factor authentication.

• If you're using the preview version of the admin center, you can find the option for MFA here:

• In the classic version, you'll find it here

3. Find the people for whom you want to enable MFA. You might need to change the Multi-Factor Auth status view at the top to see everyone.

4. The views have the following values, based on the MFA state of the users:

5. Displays all users. This is the default state.

6. Enabled The person has been enrolled in MFA but has not completed the registration process. They will be prompted to complete the process the next time they sign in.

7. Enforced The person may or may not have completed registration. If they have completed the registration process, then they are using MFA. Otherwise, they will be prompted to complete the process the next time they sign in.

8. Select the checkbox next to the people for whom you want to enable MFA.

9. On the right, you'll see Enable and Manage user settings under quick steps. Choose Enable.

10. In the dialog box that opens, choose to enable multi-factor auth.

Create a Conditional Access policy

The following steps will help create a Conditional Access policy to require all users to do multifactor authentication.

1. Sign in to the Azure portal as a Global Administrator.

2. Browse to Azure Active Directory > Security > Conditional Access.

3. Select New policy.

4. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.

5. Under Assignments, select Users or workload identities.

6. Under Include, select All users

7. Under Exclude, select Users and groups and choose your organization's emergency access or break-glass accounts.

8. Under Cloud apps or actions > Include, select All cloud apps.

9. Under Exclude, select any applications that don't require multifactor authentication.

10. Under Access controls,> Grant, select Grant access, require multifactor authentication, and select Select.

11. Confirm your settings and set Enable policy to Report-only.

12. Select Create to enable your policy.

After confirming your settings using the report-only mode, an administrator can move the Enable policy toggle from Report-only to On.

Note: Make sure that you do not assign the policy to all users and administrators at once. Always assign the policy to some users with no assigned roles first and enable the policy in Report-only mode to test and make sure the policy works as expected. Otherwise, you have the potential to lock yourself out.