Setting up Multi-Factor Authentication (MFA) per user significantly enhances the security of a Microsoft tenant and is now the standard practice for every administrator. With per-user MFA, a Multi-Factor Authentication is required from the user during each sign-in. However, this can lead to frustration among legitimate users whose workflows are disrupted by frequent MFA prompts. To achieve a better user experience while balancing security and usability, it is recommended to switch to MFA (Multi-Factor Authentication) using Microsoft Entra Conditional Access.

Microsoft Entra Conditional Access with Multi-Factor Authentication (MFA) allows fine-tuning of MFA prompts based on specific conditions, such as unknown locations or device-based conditions. This means that a user only needs to go through an MFA prompt when it is truly necessary. For example, MFA prompts can be suppressed when a user sign-in from within the corporate network or from trusted devices.

Another advantage of Microsoft Entra Conditional Access with Multi-Factor Authentication (MFA) is the ability to define different types of MFA for various scenarios. For example, a phishing-resistant MFA method using a FIDO2 key can be enforced for critical resources, while MFA methods like Microsoft Authenticator App or SMS are allowed for less sensitive resources.

Prerequisites and Licensing

For the feature Microsoft Entra Conditional Access, the following license is required::

  • Microsoft Entra ID P1 or higher

The license is included in Microsoft 365 Business Premium and many others.

An overview of Microsoft 365 license packages with their features can be found at

Disable per-user MFA

Per-user MFA must be disabled before switching to MFA with Microsoft Entra Conditional Access. The status is shown for every user in the Microsoft Entra admin center (

Identity > Users > All users > Per-user MFA

Users who are set to Enabled or Enforced must be set to Disabled.

To set a user to Disabled, click on the user (1), choose Disable (2), and confirm the selection.

At the end, Multi-Factor Authentication (MFA) has been disabled for all users.

Disable security defaults

When Microsoft Entra Conditional Access is used, the security defaults are not required and are automatically disabled. Verify this setting in the Microsoft Entra admin center (

Identity > Overwiew > Properties > Security defaults

Deploy Microsoft Entra Conditional Access

Multi-Factor Authentication (MFA) is now being configured with Microsoft Entra Conditional Access. In the following example, all users must perform multi-factor authentication for all cloud apps. The policy can be customized to your own needs.

Open Microsoft Entra admin center (
Protection > Conditional Access > Policies > New policy

Enter policy Name, e.g., Enforce MFA all users

Select Users and include All users in the policy.
Exclude Emergency Accounts if necessary.

Select Target resources and enable All cloud apps.

Select Grant and enable Require multifactor authentication.

Enable the policy with On and save it with Create.

The Microsoft Entra Conditional Access policy now enforces Multi-Factor Authentication for all users when accessing cloud apps.

Function check

When accessing a cloud app, such as, the user is prompted for Multi-Factor Authentication (MFA).

The sign-in is shown in the Microsoft Entra admin center ( under Sign-in logs.

Identity > Users > All users > Sign-in logs

In the details of the sign-in logs under Conditional Access, it shows that the Microsoft Entra Conditional Access policy was successfully applied.

Good to know

Do users receive a request to re-register for Multi-Factor Authentication?

No, users do not need to re-register for Multi-Factor Authentication. If the Microsoft Entra Conditional Access policy is configured and per-user MFA is disabled, the existing registration remains intact. This switch occurs seamlessly.

Follow me on LinkedIn to always stay updated on my recent posts.

Follow on LinkedIn