In this article we’re going to walk through the steps needed to deploy MFA using Azure AD Conditional Access. The basic gist is we’ll create a dynamic group for all users with an E1 license, have that group assign an EMS license and enforce multi-factor authentication. The best part about it, is that it can all be automated! And we love our automated processes. There are however, a couple of settings we’ll need to check before rolling out MFA so we’ll start off by taking a look at those first. Another important thing to note is that you’ll need an Azure AD Premium license to use conditional access so it will cost a little money upfront.

If you have any questions on anything in this article, feel free to drop me a comment and I’ll do my best to get back to you.

Multi-Factor Authentication (MFA) – Getting Started

As mentioned above, if you haven’t deployed MFA in your tenant at all, there are some basic settings we need to look at before hand. We can access those settings via the direct link or navigating through the portal. Below you can find how to do both.

Configure MFA Settings Direct Link: https://account.activedirectory.windowsazure.com/usermanagement/mfasettings.aspx.

Navigate through the portal: https://portal.azure.com -> Azure Active Directory -> MFA -> Configure additional cloud-based MFA settings

Once there you’ll be prompted with some simple options.



App Passwords

App passwords are most commonly needed for orgs that have older versions of Office, such as Office 2010. Office 2016 supports modern auth and ADAL

App passwords have been a pain in my experience and not user friendly

Trusted IPs

Trusted IPs are used if you want to bypass MFA

IPs can be easily spoofed so I’ve never enabled this in production

Verification Options

Call and Text are considered insecure in today’s standards so I leave them unchecked

Notification through mobile app uses the Microsoft Authenticator App and is very convenient

Verification uses a 6 digit code and you have to manually enter in at the prompt. Less convenient

Remember Multi-Factor Authentication

Set a number of days the token remains valid. Environments I’ve seen typically use 30 days

This is a per device setting. If a new device authenticates, it will need to MFA

Deploy MFA Using Azure AD Conditional Access

Now that we have the basics out of the way, lets deploy MFA using Azure AD Conditional Access. Again, conditional access is part of the Azure AD Premium license so you will need to purchase that. Typically, you can get Enterprise Mobility + Security (EMS) E3 and that should be cover the licenses needed for this. EMS E3 also gives you the license for Intune and Mobile Device Management (MDM) but that’s a separate topic.

In the Azure Portal -> go to Azure Active Directory -> Conditional Access

-> go to -> Create a New Policy and name it Require Users Enroll in MFA





Under Users and Groups : Specify the option that suits you

: Specify the option that suits you I created a Dyanimic Group to automatically grab all E1 Licensed Users





Under Cloud Apps or Actions : Specify the option that suits you

: Specify the option that suits you I chose all cloud apps because I want to MFA everywhere





Under Conditions : Specify the options that work best for you

: Specify the options that work best for you I chose to select all client apps





Finally Under Access Control : Specify Grant Access

: Specify Require multi-factor authentication





User Experience When Enrolling in Multi-Factor Authentication (MFA)

As important as it is to require MFA for your users, it is equally important to make sure they understand the process and have a good user experience. A good user experience will help adoption rates which will probably lead to less tickets in your queue (hopefully).

In any event, during my testing I noticed that it took a while to get prompted for MFA registration. I think that’s because it was evaluating the policies, but it took somewhere between 15-30 minutes after everything was setup. Let’s see what the user will experience on their end.

Once a user hits an app that requires MFA, they will be prompted with this message box:

More information required. Your organization needs more information to keep your account secure





Download the Microsoft Authenticator App on your smart phone device

on your smart phone device In the dropdown, select Mobile App for your contact method

for your contact method Select the radio button to receive notifications for verification

Click Setup

Follow the prompts to complete





After you’ve successfully registered, you can now approve sign in requests





Hopefully this step by step guide was helpful enough to Deploy MFA Using Azure AD Conditional Access for your environment.