Per-user multi-factor authentication– Planning and Implementing Authentication

14/02/202314/02/2023| Christine AlbertPer-user multi-factor authentication– Planning and Implementing Authentication| 0 Comment| 4:00 am
Categories :

If MFA was configured in your tenant before October 2019, it may have been configured using the legacy MFA scheme. Prior to newer technologies, MFA was enabled on a per-user basis by manually updating each user’s account to enforce the use of MFA.
Prior to implementing either Microsoft-managed security defaults or Conditional Access policies, you will need to disable the legacy per-user MFA. Having per-user MFA enabled while configuring a Conditional Access policy that prompts for MFA may cause unintended or unexpected MFA prompts.
To disable per-user MFA, follow these steps:

  1. Navigate to the Microsoft 365 admin center (https://admin.microsoft.com).
  2. Expand Users and select Active users.
  3. Select Multi-factor authentication.

Figure 7.7 – The Active users page

  1. If your tenant already has Conditional Access policies, you may need to select the Legacy per-user MFA link to launch the legacy MFA page.
  2. On the Multi-factor authentication page, configure the per-user MFA status to Disabled for users that have Enforced or Enabled set. You can select multiple users but can only multi-select users that have the same MFA status type.

Figure 7.8 – Selecting users
Once per-user MFA is disabled, you can configure the security defaults or the Conditional Aaccess policies.
Security defaults
For most organizations, security defaults are a good choice for configuring broad baseline security policies. Security defaults make the following security changes:
• Requiring all users to register for MFA
• Requiring administrators to perform MFA upon sign-in
• Requiring users to do MFA when necessary
• Blocking basic authentication and other legacy authentication protocols
• Requiring administrators to perform MFA when accessing privileged resources, such as the Azure portal, Azure PowerShell, or the Azure CLI
Security defaults can be modified by users with the Global Administrator, Conditional Access Administrator, or Security Administrator role. Security defaults can be enabled or disabled using the following process:

  1. Navigate to the Azure portal (https://portal.azure.com).
  2. Select Azure Active Directory.
  3. Under Manage, click Properties.
  4. Scroll to the bottom of the page and click Manage security defaults.
  5. On the Security defaults flyout, select either Enabled or Disabled and click Save.
    If you are going to configure Conditional Access policies, you should disable Security defaults. If you are not going to configure Conditional Access policies, you should enable Security defaults.
    FURTHER READING
    For more information on the impact of security defaults, see the following: https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Post

Working with access reviews– Planning and Implementing Secure Access

31/07/202431/07/2024 Christine AlbertWorking with access reviews– Planning and Implementing Secure Access
Access reviews are tools that help organizations track the resource access life cycle. Some of [...]
Read MoreRead More

Planning for role assignments– Planning and Managing Roles in Microsoft 365

16/04/202216/04/2022 Christine AlbertPlanning for role assignments– Planning and Managing Roles in Microsoft 365
One of the core tenets of security is the use of a least-privilege model. Least [...]
Read MoreRead More

Viewing and updating administrative units– Planning and Managing Roles in Microsoft 365

14/09/202214/09/2022 Christine AlbertViewing and updating administrative units– Planning and Managing Roles in Microsoft 365
After creating administrative units, you can review them and modify their members and administrators from [...]
Read MoreRead More