How to enforce multi-factor authentication on Microsoft 365 (Office 365) using Conditional Access

What is Conditional Access?

Conditional Access is about more than MFA. Conditional Access is, quite literally, a number of conditions you define to permit access. One of those conditions can be requiring MFA. But, it could also include where a user is logging in from, what the user is trying to access, the device they are using, group membership, or any combination you choose.

If your users have Azure AD Premium P1 licenses, we recommend you use Conditional Access. Although setting it up requires a few extra steps, it's quite straight forward to make a sensible baseline configuration and you'll have the flexibility to make exceptions and extensions as necessary.

This means you could build up very complex Conditional Access policies if you choose to. However it is commonly used to simply mandate MFA except in certain scenarios e.g. accessing a non-sensitive app, or using a break-glass accounts.

Microsoft continues to invest in Conditional Access and it is clearly their preferred route for you to take if you can. For more information, read a more in-depth overview of Conditional Access from the official source.

If you choose Conditional Access we will show you how to prepare the necessary parts of your environment and guide you to sensible starter policies, which you can initially set to audit mode. Whilst using our automations to encourage users to register for MFA, you can monitor audit logs to have complete assurance no one will be impacted when you switch to enforce mode.

Before you start

Get business buy-in

Big changes that people notice tend to benefit from an executive sponsor to lend weight behind the change - you'll know better than us whether that makes sense for your organisation. You can read for some pointers.

Prepare your support team

When adopting MFA, some users may struggle with the process of enrolling for MFA, or need help if they lose their MFA token or device after setup. Users will have a much better experience of MFA, and work disruption kept to a minimum, if the IT support team (or person as the case may be) is prepared to support both enrolment and recovery, and can get them back on their feet quickly.

To make sure everything goes smoothly when something goes wrong, we recommend you make sure anyone responding to support requests tests or practices these processes using a test account.

Let's get started!

Configuring your environment

Before using Conditional Access to enforce MFA, you'll need to do the following:

Enforcing MFA

Now you've defined your policies and your users are mostly registered, all that's left to do is to turn them on. Follow these steps to enable a Conditional Access policy:

Step 1

Go to the Conditional Access blade in Azure Active Directory admin center.

Step 2

Select the Conditional Access policy you want to enable:

M365: Conditional access list policies

Step 3

At the bottom of the screen, under "Enable policy" select "On".

M365: Conditional Access enable policy

Hit Save.