Multi-Factor Authentication (MFA) provides a high level of protection for identities in the cloud. The user must identify himself with a second factor in addition to the password. Without this second factor, access to cloud apps are prevented.

The feature “Azure AD Conditional Access” can be used to enforce multi-factor authentication. At least two of the following authentication methods then become mandatory:

  • Something you know, typically a password
  • Something you have, such as a trusted device that’s not easily duplicated, like a phone or hardware key
  • Something you are – biometrics like a fingerprint or face scan

The following instructions show how to enable multi-factor authentication via Azure AD Conditional Access in your own tenant for all users and all guest users.

Prerequisites and Licensing

The following license is required to use the feature “Azure AD Conditional Access”:

  • Azure AD Premium P1

The license is included in “Microsoft 365 Business Premium” and many more.

An overview of Microsoft 365 license packages with their features can be found at https://m365maps.com.
Thanks to Aaron Dinnage for this great overview!

Force Multi-Factor Authentication for all user accounts

Select “Azure AD Conditional Access” and create a new policy

The policy should be applied to all users in the tenant

Microsoft recommends to exclude the following accounts from multi-factor authentication and to use a very strong password (>24 characters) instead.

  • Break Glass Accounts / Emergency Accounts
  • Service Accounts
  • Service Principals

The exclusion of these accounts from this policy is configured as follows.

The policy should be applied to all cloud apps that authenticate with Azure AD. This includes Microsoft Cloud Apps (e.g. Microsoft 365 Portal, Azure Portal, outlook.com etc.) as well as those applications that are integrated via Azure AD enterprise applications.

If a cloud app should be excluded, this can also be configured as shown below.

The policy should always be applied, so it does not require configuration of conditions.

Enforce “Multi-Factor Authentication” in the section “Access Control”

A multi-factor authentication token has a lifetime of 90 days.
The token is valid per device and must be renewed after the lifetime expires. It is recommended to reduce this lifetime to 30 days.

The “Report-only” option saves the policy, but does not yet activate the settings. This way the effects of the policy can be tested safely.

The effects of the policy can now be evaluated in the Azure Active Directory sign in logs.

After successful verification of the policy, it can be enabled.

Force Multi-Factor Authentication for all guest accounts

The configuration of the guest account policy is largely identical to that of the user accounts in the previous section.
The only difference is the assignment of the policy, where “All guest and external users” is explicitly selected.

Exclude the following accounts from this policy:

  • Break Glass Accounts
  • Service Accounts
  • Service Principals

The further configuration of the policy is identical to that of the user accounts and can be viewed here.


Follow me on LinkedIn and BlueSky to always stay updated on my recent posts.

Was this post helpful to you? Show your enthusiasm with the delightful aroma of a freshly brewed coffee for me!

Buy me a coffee