A new feature currently in preview for Azure AD is Conditional Access Policies (CAP) using pre-built policies. It is currently available for organizations with Azure AD Free (This is pretty much everyone that has Azure AD Connect enabled). Admins can now make use of four conditional access policies. The four policies are:
- Require MFA for admins
- End User Protection
- Block Legacy Authentication
- Require MFA for Service Management
For this article, I’ll go over how to enable policy number 2, which will force all users to register with MFA (within 14 days) and force an MFA check during “Risky situations.” I would also recommend enabling policy number 1 in addition. The instructions to do so are very similar. At any rate, let’s begin.
Enable End User Protection Policy for MFA
- Go to portal.azure.com and log in.
- Click on the Search bar at the top of the screen.
- Search for “Conditional Access” and click on the Conditional Access Icon (shown here):
- Once in the Conditional Access – Policies page (It’s the default page in the Conditional Access Blade), click “Baseline policy: End user protection.”
- Once the policy blade appears, you can only turn MFA for end users On or Off. Select On, click Save, and you’re done. The next time each user logs on, they will be prompted to register for MFA and will have 14 days to do so before being blocked from accessing their account and must register to log in.
That’s All Folks!
And that’s all there is to it. If you have a higher level subscription to Azure AD Premium, you will have more control over the conditional access policies that can be used. But as long as you have any Office 365 based service or have subscribed to Azure AD Free, you have access to MFA and the policies outlined in this post. Enabling MFA is extremely beneficial for securing your environment and will significantly reduce the risks associated with life in the cloud.