Azure Multi-Factor Authentication & Conditional Access Policy Tips

  1. Do not turn on Multi-Factor Authentication from the legacy MFA console on a per-user basis. Use Conditional access to enforce MFA.
    • If you have both options turned on, then legacy MFA wins and will enforce the user for MFA every single time and irrespective of the conditions in your conditional access policies.
    • Legacy MFA uses App-Passwords which are a terrible user experience for users. This applies to client that don’t support Modern Authentication. They will have to append an app password to their password to login. Instead, consider blocking clients that don’t support MFA.
  2. MFA will only work with conditional access if the client application supports Modern Authentication (ADAL Library).
    • That’s right, conditional access policies will not work if the client doesn’t support modern authentication. You can find out what clients are connecting to your organization using Azure AD sign-in logs.
  3. MFA will not be prompted every time use logs in to a service. Azure AD Authentication uses Access Tokens and Refresh tokens to grant access to a service. The access token is valid for an hour at which point the refresh token is used to request another access token (refresh tokens have a longer lifetime than the access tokens). This cycle can continue up to 90 days. Keep in mind conditional access policies are evaluated everytime the service gives you a new access token. These default settings for token lifetimes are Microsoft’s recommendation as they have found no correlation between longer refresh token lifetime and account compromise.
  4. Use Sign-Ins log in Azure Active Directory to troubleshoot issues/understand if/how MFA requirement was met.
    • Admins will bring up the fact that MFA is not prompted for users however by looking at the logs you will notice MFA did apply. However, other device claims satisfied the MFA requirement. In other words, it wasn’t a visible “MFA” prompt that the user experienced, however combination of other trust factors such as device compliance, hybrid-Azure AD joined status helped satisfy the MFA requirements.
  5. “Hybrid Azure AD Joined” and “Device is Compliant” should be used with caution. Domain Joined devices need to be synced and registered with Azure AD before it can understand that it’s a domain joined device. There are some steps that need to be configured before this works. Device is compliant means that it’s an Intune joined device meeting compliance policies.
  6. Block legacy authentication after MFA is deployed so that clients that do not support MFA are not allowed to connect to the organization.
  7. Create breakglass accounts just in case you lock yourself out or Microsoft’s MFA service goes down. These accounts should be exempt from MFA and other conditional access policies.