Learn about Conditional Access: Require MFA for all users

This tutorial will help you to Learn about Conditional Access: Require MFA for all users. Conditional Access policies are powerful tools, we recommend excluding the following accounts from your policy:

User exclusions

Conditional Access restrictions are useful tools, however, we propose excluding the following accounts:

• To avoid tenant-wide account lockout, use emergency access or break-glass accounts. If all of your administrators are locked out of your tenant, you can use your emergency-access administrative account to log in and take steps to regain access.
• The Azure AD Connect Sync Account is an example of a service account and service principle. Service accounts are accounts that does not link to a specific user and aren’t interactive. Back-end services utilise them to grant programmatic access to apps, but they can also sign in to systems for administrative purposes. Because MFA cannot be completed automatically, service accounts like these should be omitted. Conditional Access does not prohibit calls made by service principals.
  • Consider replacing these accounts with controlled identities if they’re used in scripts or code within your company. You can temporarily work around this by excluding these accounts from the baseline policy.

Application exclusions

Many cloud apps could be used by businesses. Not all of those applications may need the same level of security. The payroll and attendance software, for example, may demand MFA, but the cafeteria is unlikely to. Administrators have the option of excluding certain applications from their policy.

Create a Conditional Access policy

The instructions below will guide you through creating a Conditional Access policy that requires all users to utilize multi-factor authentication.

1. Firstly, Sign in to the Azure portal as a global administrator, security administrator, or Conditional Access administrator.
2. Also, Browse to Azure Active Directory > Security > Conditional Access.
3. Furthermore, Select New policy.
4. Subsequently, Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
5. Also, Under Assignments, select Users and groups
   1. Under Include, select All users
   2. Subsequently, Under Exclude, select Users and groups and choose your organization’s emergency access or break-glass accounts.
   3. Select Done.
6. Under Cloud apps or actions > Include, select All cloud apps.
   1. Under Exclude, select any applications that do not require multi-factor authentication.
7. Subsequently, Under Conditions > Client apps (Preview), under Select the client apps this policy will apply to leave all defaults selected and select Done.
8. Also, Under Access controls > Grant, select Grant access, Require multi-factor authentication, and select Select.
9. Confirm your settings and set Enable policy to On.
10. Select Create to create to enable your policy.

Named locations

Organizations can opt to include Named locations in their Conditional Access rules, which are network locations. Trusted IPv4 networks, such as those for a primary office location, can include in these designated locations.

When accessing a cloud app from their corporate network, an organization may opt not to need multi-factor authentication, as shown in the example policy above. In this situation, they may add the following policy configuration:

1. Firstly, Under Assignments, select Conditions > Locations.
   1. Configure Yes.
   2. Include Any location.
   3. Exclude All trusted locations.
   4. Select Done.
2. Also, Select Done.
3. Finally, Save your policy changes.

Go back to home page

Reference documentation – Conditional Access: Require MFA for all users