Do you have the correct MFA settings in your conditional access policy?


See the source image

Fortunately, the realization and necessity to use MFA has penetrated many administrators. But are the settings set via a conditional access policy the correct settings?

At a number of organizations I have now come across that have a single conditional access policy configured where users are members of a security group when logging in must use MFA.

This policy looks like this:

MFA_Enabled    
Assignments  Access Controls 
Users and groupsCloud Apps or actionsConditionsGrantSession
CAP_MFA_IncludedAlllocations: Any Location   Exclude: Trusted LocationsGRANT   Require multi-factor authentication 
Exclude: CAP_MFA_Exclude    

You would say that this policy is good, users must use MFA when they want to log in. It’s just that users must be members of the group that is included. It does not say that this applies to all users and certainly not to guest or external users!

What happens if a new user is created and is not a member of the CAP_MFA_Included group?

Logging in with a user who is a member of the group naturally gives a neat prompt that MFA must be used.

When a user who is not a member of the group logs in, there will be no prompt for MFA.

In this example it is more convenient to choose all users. I would also advise enforcing MFA for guest and external users.

Consider carefully which policy must be enforced via Conditional Access Policies. Do not only involve users, but also devices. By testing different scenarios you can find out if the Conditional Access Policies you have set work as you want them to work and not whether users can bypass these rules due to a wrong setting.

One thought on “Do you have the correct MFA settings in your conditional access policy?

  1. Pingback: Do you have the correct MFA settings in your conditional access policy? – blog by @mklifman

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.