I'm currently migrating to Office 365, aiming for a hybrid setup. We're not using Azure P1 licenses for custom conditional access policies, so we only have the default Microsoft policies available. Right now, I've disabled these MFA policies to utilize per-user MFA, but I'm a bit unclear on what users will experience. It seems that if per-user MFA is disabled, users still need to set up MFA. Additionally, it looks like they won't need to re-authenticate for Outlook Web App (OWA) unless their Windows machine has been turned off or a significant time has passed since their last MFA. Is that how it works? Also, if I turn per-user MFA to 'enforced', does that increase the frequency at which users are prompted to authenticate, especially after they close and reopen their browser? Thanks for any insights!
3 Answers
I’d recommend just disabling any conditional access policies and enabling security defaults instead. You can check out what those security defaults actually change. Just so you know, default MFA session tokens last for 90 days on trusted devices, so that might help manage user expectations too.
Just so you know, per-user MFA is kind of outdated now, and it’s best to keep all users in a 'disabled' state for it. Since you don't have any custom conditional access policies, security defaults are likely applying automatically. This means users are still required to authenticate even with your current setup, despite how it might seem.
Best practices for your scenario include:
1. Consider getting Entra P1 licensing if possible for better management.
2. If you can't get that, definitely stick with security defaults.
3. Keep per-user MFA turned off.
4. Make sure your Authentication Settings in Entra are up to date for the correct MFA options.
Are security defaults turned on for you? That could definitely impact what’s happening with MFA, especially since you mentioned not having custom policies available.
I appreciate that clarification! I had been advised by one of our contractors that, without Azure P1 licenses, we should use Microsoft’s default Conditional Access policies while turning on Per-User MFA for more control. But I discovered, as you said, that you can't actually disable Microsoft Security Defaults if you don’t have P1 licenses, even if the UI suggests you can.
Since these security defaults seem to apply to my tenant, do you know what the typical MFA behavior is for OWA and the new Outlook? It seems like users are not prompted for MFA again after their first setup, which was different from our previous on-prem requirements.
Thanks again for your help!