Hero Banner

Multi-Factor Authentication (MFA)

Learn and ask questions on how to implement MFA

Reply
Level 2 Contributor

Is it OK to use per-user MFA for some users and Conditional Access for other users?

Surely this has been asked but it was mission impossible filtering through all the MFA-related threads to find it.

 

If only some users in our tenant have AAD Premium licenses available/assigned, is it OK to target these users via Conditional Access and then only configure the other users with per-user MFA settings?

 

The reason I ask is that our company has done per-user MFA for everyone and so I'm getting sick or the prompt.  I have an EMS E5 license available as part of my Visual Studio Enterprise subscription so I would rather just have a CA policy assigned to my account and forego the everyday-multiple-times MFA prompts.

 

I don't see any mention or distinction between per-user vs Conditional Access in any of the official documentation around CSP Partner MFA requirements (as an FYI).

1 ACCEPTED SOLUTION
Microsoft

Yes, you can combine per-user MFA (legacy) and conditional access.

However, this will not reduce any prompts for MFA - because regardless of the option you are using CSP Partner need to use MFA for access to any service in their tenant - exceptions like "no MFA when accessing through trusted location" or "no MFA when using a compliant device" or excluding certain services/apps from the MFA control are not compliant.

Also noted in the FAQ: https://docs.microsoft.com/en-us/partner-center/partner-security-requirements-faq

 

To reduce MFA prompts make sure you are NOT using the feature "remember MFA on trusted devices" (because this will in fact increase prompts for modern authentication like Office). Another option would be to use Windows 10 as hybrid joined or AzureAD joined device (usually combined with things like Windows Hello For Business) - when then using Office or a browser like Edge or Chrome there might not be an additional MFA prompt if the device is joined to the same tenant: https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-primary-refresh-token#when-does-a-prt-get-an-mfa-claim

Kind regards,
Janosch

View solution in original post

5 REPLIES 5
Microsoft

Yes, you can combine per-user MFA (legacy) and conditional access.

However, this will not reduce any prompts for MFA - because regardless of the option you are using CSP Partner need to use MFA for access to any service in their tenant - exceptions like "no MFA when accessing through trusted location" or "no MFA when using a compliant device" or excluding certain services/apps from the MFA control are not compliant.

Also noted in the FAQ: https://docs.microsoft.com/en-us/partner-center/partner-security-requirements-faq

 

To reduce MFA prompts make sure you are NOT using the feature "remember MFA on trusted devices" (because this will in fact increase prompts for modern authentication like Office). Another option would be to use Windows 10 as hybrid joined or AzureAD joined device (usually combined with things like Windows Hello For Business) - when then using Office or a browser like Edge or Chrome there might not be an additional MFA prompt if the device is joined to the same tenant: https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-primary-refresh-token#when-does-a-prt-get-an-mfa-claim

Kind regards,
Janosch

View solution in original post

Level 2 Contributor

Thanks for the quick and thorough answer @JanoschUlmer .  In this case, we have multiple tenants and all of them have the requirements enforced.  It's my day-to-day tenant/account where I'm hoping to reduce my number of prompts.  The CSP tenant where I actually access Partner Center > Customers > and do stuff, I'm A-OK to be prompted every time no matter what.

 

I think it must be that we have (in our regular users tenant) the "remember MFA on trusted devices" setting enabled (it's set to a certain number of days right now).  I have found this article about this topic (thanks to your direction): https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings#remember-multi-factor-authentication

 

I'll have to see why we have it set to 6 days today.  It's pretty intense, daily I'm in need to do MFA for OneDrive when I login, then 6 days blows by quickly for the remaining Office apps.

Microsoft

Daily MFA prompts for OneDrive are definitely not like it should be (e.g. I also are forced to use MFA, and I can not remember when I ever did see this for OneDrive).

Maybe you can check if your OneDrive uses ADAL: https://docs.microsoft.com/en-us/onedrive/enable-conditional-access#recommendations

 

OK, so if you have a tenant which has no active CSP Partner profile, then you are not bound the MFA requirements in there and then you can use Trusted IP ranges, or any other options in conditional access policies to exclude the user from MFA in certain scenarios. Personally I'll advice to follow a zero trust security approach and not exclude IP ranges from security measures, but use things like "Require compliant device" as alternative control to MFA.

Kind regards,
Janosch
Level 2 Contributor

Without diving too deep into the weeds, there's something special about the CSP requirements that even our tenant that is not associated to the CSP Partner Profile (to me this means the tenant where we use the Partner Center Dashboard to manage our CSP customers) need to have MFA enforced for all users.  In that tenant, we have users and service accounts that today depend on Basic authentication and use App Passwords.  If we didn't have any legacy authentication requirements, we could just flip the switch on Security Defaults and be on our way without the per-user MFA stuff.

 

For my personal lab environment where I'm in charge of everything, everything is lickity split using Conditional Access, and Intune, and everything MFA-related works perfectly like a charm.  I do agree 100% with your advice for the zero trust security approach.  I guess we'll get there soon enough at work too:).  

Microsoft

The CSP security requirements only apply to the Partner Center were you have agreed to the Microsoft Partner Agreement. So if you don't have an CSP profile, the security requirement, as per contract, do not apply. It may be that no customers are listed, but still the CSP profile is active.

You can send me a pm with your tenant name/Partner ID I can check for you.

There is one special scenario - if you are not CSP, but "Advisor" partner (You would see an "Advisor Profile" in settings and may have customer listed as Advisor) - then the MFA requirement would also apply because the DPOR for Advisor can also give you delegated admin permission on customers. However, I would check with support if the Advisor profile could be removed - and DPOR be set to another ID, for example the location ID that points to your CSP profile in another tenant.

Kind regards,
Janosch