Multi-Factor Authentication (MFA)

@idwilliams 

You said that App Passwords are allowed but I know they are not able to be used with Conditional Access policies. Am I correct in assuming that we are allowed to enforce MFA by changing user states in the Azure Multi-Factor Authentication portal, provided that we enforce for all users?

Link for what I am talking about: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates#enable-azure-mfa-by-changing-user-state

@TomR : Yes, MFA can also be enforced by changing the user state. You can also mix - so enabling MFA per user for some users, and enforcing MFA for others with conditional access rules.

So to be clear, we do not need to use the Baseline CA policies to meet these requirements? Are we still allowed to use Trusted Locations in the MFA settings, or will those go away or need to be turned off?

I'm really curious to know how Microsoft will be confirming that we are "compliant", because even though I have had a CA policy for months that requires MFA for All Apps for All Guests in our tenant, my Secure Score is still really low because it apparently doesn't recognize that as enforcing MFA, even though it is.

@kcears : No, baseline policies are not needed if you use other means to enforce MFA. Trusted locations exclusion is not allowed.

See also here for an updated FAQ:  https://docs.microsoft.com/en-us/partner-center/partner-security-requirements-faq

No info on how technical compliance will be enforced yet.

Jason, A few weeks ago you wrote "MFA can also be enforced by changing the user state. You can also mix - so enabling MFA per user for some users, and enforcing MFA for others with conditional access rules."  

Does this require an Azure Premium license?  If not, how do you mix given that conditional access exclusions are not available?

@simplepowerit : Yes, creating your own conditional access rules requires AAD Premium Plan1, MFA per user is also available when licensing Office365 E3. So in this scenario you would not use the baseline policies, but only create CA rules yourself where you are able to set exclusions and choose MFA as control.

Sorry, that last question was intended for JanoschUlmer

We're planning to implement a CA policy requiring MFA for all users (including Guests), except the accounts that we need to use app passwords for (e.g. our ticketing system and our multi-functional printers). Those accounts will have their user state set to Enabled in the Azure MFA portal, and will be using an app password to authenticate.

This way we'll still have the 100% coverage the new security requirement calls for and be in compliance (I hope).

We have the exact same problem... From the baseline policy documentation, it seems like there should be an exclude functionality there, but it's not present in any of our tenants. 

We have made two new policies that does the same thing as the baseline policies... 

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-baseline-protect-administrators 

Can you provide a quick guide/screenshots of which settings you chose to setup 2 policies equiliant to the PREVIEW policies - but with EXCLUSION possibilities