Multi-Factor Authentication (MFA) provides a high level of protection for identities in the cloud. The user must identify himself with a second factor in addition to the password. Without this second factor, access to cloud apps are prevented.
The feature “Azure AD Conditional Access” can be used to enforce multi-factor authentication. At least two of the following authentication methods then become mandatory:
- Something you know, typically a password
- Something you have, such as a trusted device that’s not easily duplicated, like a phone or hardware key
- Something you are – biometrics like a fingerprint or face scan
The following instructions show how to enable multi-factor authentication via Azure AD Conditional Access in your own tenant for all users and all guest users.
Prerequisites and Licensing
The following license is required to use the feature “Azure AD Conditional Access”:
- Azure AD Premium P1
The license is included in “Microsoft 365 Business Premium” and many more.
An overview of Microsoft 365 license packages with their features can be found at https://m365maps.com.
Thanks to Aaron Dinnage for this great overview!
Force Multi-Factor Authentication for all user accounts
Select “Azure AD Conditional Access” and create a new policy
The policy should be applied to all users in the tenant
Microsoft recommends to exclude the following accounts from multi-factor authentication and to use a very strong password (>24 characters) instead.
- Break Glass Accounts / Emergency Accounts
- Service Accounts
- Service Principals
The exclusion of these accounts from this policy is configured as follows.
The policy should be applied to all cloud apps that authenticate with Azure AD. This includes Microsoft Cloud Apps (e.g. Microsoft 365 Portal, Azure Portal, outlook.com etc.) as well as those applications that are integrated via Azure AD enterprise applications.
If a cloud app should be excluded, this can also be configured as shown below.
The policy should always be applied, so it does not require configuration of conditions.
Enforce “Multi-Factor Authentication” in the section “Access Control”
A multi-factor authentication token has a lifetime of 90 days.
The token is valid per device and must be renewed after the lifetime expires. It is recommended to reduce this lifetime to 30 days.
The “Report-only” option saves the policy, but does not yet activate the settings. This way the effects of the policy can be tested safely.
The effects of the policy can now be evaluated in the Azure Active Directory sign in logs.
After successful verification of the policy, it can be enabled.
Force Multi-Factor Authentication for all guest accounts
The configuration of the guest account policy is largely identical to that of the user accounts in the previous section.
The only difference is the assignment of the policy, where “All guest and external users” is explicitly selected.
Exclude the following accounts from this policy:
- Break Glass Accounts
- Service Accounts
- Service Principals
The further configuration of the policy is identical to that of the user accounts and can be viewed here.
Follow me on LinkedIn and BlueSky to always stay updated on my recent posts.
Was this post helpful to you? Show your enthusiasm with the delightful aroma of a freshly brewed coffee for me!