Fortunately, the realization and necessity to use MFA has penetrated many administrators. But are the settings set via a conditional access policy the correct settings?
At a number of organizations I have now come across that have a single conditional access policy configured where users are members of a security group when logging in must use MFA.
This policy looks like this:
|Users and groups||Cloud Apps or actions||Conditions||Grant||Session|
|CAP_MFA_Included||All||locations: Any Location Exclude: Trusted Locations||GRANT Require multi-factor authentication|
You would say that this policy is good, users must use MFA when they want to log in. It’s just that users must be members of the group that is included. It does not say that this applies to all users and certainly not to guest or external users!
What happens if a new user is created and is not a member of the CAP_MFA_Included group?
Logging in with a user who is a member of the group naturally gives a neat prompt that MFA must be used.
When a user who is not a member of the group logs in, there will be no prompt for MFA.
In this example it is more convenient to choose all users. I would also advise enforcing MFA for guest and external users.
Consider carefully which policy must be enforced via Conditional Access Policies. Do not only involve users, but also devices. By testing different scenarios you can find out if the Conditional Access Policies you have set work as you want them to work and not whether users can bypass these rules due to a wrong setting.