We like to allow users to reset their Microsoft 365 password. The feature we have…
How to Configure Microsoft Entra Multi-Factor Authentication
You want to enable Microsoft Entra Multi-Factor Authentication. There is a per-user MFA and Conditional Access based MFA. Before you can deploy Microsoft Entra Conditional Access based Multi-Factor Authentication, you need Microsoft Entra ID P1 or P2. In this article, you will learn how to configure Microsoft Entra Multi-Factor Authentication for all users step by step.
Table of contents
Before you enable Microsoft Entra Multi-Factor authentication
Do not enable MFA for all users at once. The IT support team will get phone calls and emails about the MFA enrollment or that applications are not functioning.
- Configure Conditional Access MFA with a couple of test users or with a Pilot group first before applying the MFA policy for all users.
- Create an instruction on how to set up MFA and send it to the users by email, print it out, place it on their desks, or place it on the intranet.
Microsoft did create excellent Multi-Factor Authentication rollout materials that you can download, edit and send to the users. The instruction that we always use is the Setup Microsoft Authenticator app authentication.
Do you already have per-user MFA configured in Microsoft 365 tenant, and do you want to move to Conditional Access based MFA? Find out how to move from per-user MFA to Conditional Access MFA.
Check Microsoft Entra license
Check that your tenant has Microsoft Entra ID P1 or P2:
- Sign in to Microsoft Entra admin center
- Click on Identity > Overview
- Find the License under Basic Information
In the example below, we have the license Microsoft Entra ID P2.
In the next step, you will choose the verification methods for the users.
Choose verification methods
Important: Go through the article Migrate legacy MFA and SSPR to Authentication methods policy before you go further.
Check the authentication methods:
- Sign in to Microsoft Entra admin center
- Click on Protection > Authentication methods > Policies
- Enable the authentication methods that will be available to the users
Note: Microsoft recommends disabling the SMS and Voice call methods because they are not secure.
In the next step, you will add locations to exclude from MFA.
Configure named locations
You don’t want to let users use MFA when they are connected to a trusted network. To allowlist the IP address locations, we will use the Named locations feature in Conditional Access.
- Select Conditional Access > Named locations
- Click on IP ranges location
- Add the name and external IP location
- Click Create
In this example, we will add two locations. That’s the Head Office and Branch Office that we like to exclude from MFA.
- Repeat and add other locations
We will add the Branch Office location external IP to exclude from MFA.
- The external IP addresses show up in the Conditional Access named location list
In the next step, you will create a Non-MFA security group for the accounts you will exclude from MFA.
Create Non-MFA security group
It’s good to know that you need to exclude Service Accounts from MFA. Service accounts are non-interactive accounts that are not tied to any particular user. They are usually used by back-end services allowing programmatic access to applications but are also used to sign in to systems for administrative purposes. Service accounts like these should be excluded since MFA can’t be completed programmatically.
Note: If you don’t have an on-premises Active Directory synced with Microsoft Entra Connect Sync (Hybrid Cloud), create a security group in Microsoft Entra ID.
- Go to Active Directory Users and Computers
- Create a security group with the name Non-MFA
- Double-click the Non-MFA security group
- Add the Service Accounts to the group
- Force sync Azure AD Connect or wait 30 minutes before the changes are in sync with the cloud.
In the next step, you will enable MFA for all users in Microsoft Entra Conditional Access.
Configure Microsoft Entra Conditional Access MFA
Create a Conditional Access Policy to force MFA for all the users. You can select only a selected group of users. But, we recommend enabling MFA for all users.
Step 1: New Policy
Click on Conditional Access > Create new policy.
Step 2: Name
Give it the name MFA all users.
Step 3: Assignments
Click Users and groups > Include. Select All users.
Click Exclude. Select Users and groups. Select the Non-MFA security group which you created in the previous steps.
Do you have Microsoft Entra Connect Sync? Don’t forget to exclude MFA for the Microsoft Entra Connect Sync Account. Read more about that in Conditional Access MFA breaks Azure AD Connect synchronization.
Do you have more Service Accounts and are they created in Microsoft Entra ID? Create a Non-MFA-Entra security group in Microsoft Entra ID and add these accounts to the group. After that, add the Non-MFA-Entra security group to the excluded policy setting.
Step 4: Cloud apps or actions
Click Target resources > Cloud apps > Include. Select All cloud apps.
Step 5: Conditions
Click Network > Yes > Include. Select Any network or location.
Click Exclude and select Selected network and locations. Select the named locations that you created in the previous steps.
Step 6: Grant
Click Grant. Select Grant access. Check the checkbox Require multi-factor authentication. Click on Select.
Step 7: Enable policy
Click the On switch to enable the policy. Select I understand that my account will be impacted by this policy. Proceed anyway. Click Create.
Note: Remember to test the Conditional Access MFA policy on a selected group of users before you apply it to all the users.
Suppose you click on Create, and you get the below warning and error:
- It looks like you’re about to manage your organization’s security configurations. That’s great! You must first disable security defaults before enabling a Conditional Access policy.
- Security defaults must be disabled to enable Conditional Access policy.
You can read the article How to Disable security defaults in Microsoft Entra ID.
Step 8: Check Conditional Access policy
Click on Policies. The policy shows up in the Conditional Access policies list.
You should always Export Conditional Access policies to JSON files for backup purposes. Suppose policies get edited, and you want to restore the policies, you can easily Import Conditional Access policies into the tenant.
Verify your work
After you configure the policy, the users will get a message that they need to set up MFA when they use services that require MFA. For example, when they sign in to Microsoft 365 portal.
Note: Users will not get a notification to set up MFA or MFA authorization if they are at the locations which are excluded from MFA. In this example, the Head Office and the Branch Office.
Below is an example of how it looks when a user signs in to the Microsoft 365 portal after configuring Microsoft Entra Conditional Access MFA.
The user will now use the instructions you provided to set up MFA.
Read more: Secure MFA and SSPR registration with Conditional Access »
Conclusion
You learned how to configure Microsoft Entra Multi-Factor Authentication. Create a Non-MFA security group and add the Service Accounts to that group. Otherwise, the accounts will have problems after you enable MFA. Before you roll out MFA for all users, test the policy first on a couple of test users or a Pilot group. Remember to create an instruction on how to set up MFA and send it to the users.
Did you enjoy this article? You may also like Install and configure Azure AD Connect. Don’t forget to follow us and share this article.
Nice article! This is exactly how is works. But…
How do you enforce users to setup their MFA if they only work from an excluded location? They will never get the ‘More information required’ pop-up. So you will always stay with some accounts which haven’t setup MFA which will be a risk.