There appears to be a bit of confusions, especially in the small-medium sized businesses who are just started their cloud journey, about what Azure MFA and Office 365 contains and what your entitlements are.
Lets start by talking about MFA for Office 365
MFA for Office 365 is included for FREE in your Office 365 subscription and is an easy way to secure your Office 365 logins by enabling multi-factor authentication (this can include text message, phone call and using the app)
To configure this login to your admin portal at Office 365 with a Global Admin user and go into Azure Active Directory > Users and then click on the MultiFactor Authentication button here
You can then select the users you want to enable this for (dont forget the Global Admin users are now Enforced to have MFA enabled)
Click on Service Settings at the top and you can then configure items such as Trusted Locations, or more importantly the two-factor auth type
But we know how annoying this is going to be for users having to enter the MFA details or approve the MFA login everytime they want to use your Office 365 or Azure services.
Grab yourself an Azure Active Directory P1 license and this will open up the ability to use Conditional Access. So for me, I leave all of the users in the above screenshot disabled (except the Admin users) and then head to Azure AD and configure Conditional Access.
- Click on New Policy and call it something meaningful – like Azure MFA.
- Select All Users – as we want it to apply to everyone. But be sure to have a BreakGlass Admin account that you exclude from this in the event of emergencies
- Select All Cloud Apps
- Select All Platforms (including unsupported)
5. Click on Access Controls and we then configure what must be met before we allow the user to access the resources. Here I normally select 3 options and only one of them HAS to be met;
And that is pretty much it. You can of course tailor this to suit your own company security requirements, create Groups that are only applied to or create Groups that certain policies enforce stricter requirements, for example, you have to meet all three of the above controls to be used.
In the above sections you can see how using Conditional Access will give you more granular control over the MFA and also a better user experience (users dont want to be bothered by MFA unless they need to be).