skip to Main Content

Move from per-user MFA to Conditional Access MFA

It’s best to use Conditional Access based MFA when you have Azure AD Premium P1 or P2. It will give you more control and flexibility when creating a policy. In this tenant, we do have per-user MFA enabled. We like to convert from per-user MFA to Conditional Access based MFA. How will that work? In this article, you will learn how to move from per-user MFA to Conditional Access based MFA step by step.

Introduction

You want to move from per-user MFA to conditional access MFA without forcing all your users to re-register. Because asking your users to re-register MFA is a big task, and the service desk is not waiting for all these calls. The question, is it possible to move without re-register MFA? Yes, it is.

If you configure Conditional Access Policy to trigger MFA and disable per-user MFA, you will not be required to re-register for MFA because disabling per-user MFA doesn’t clear the MFA methods. When you use Conditional Access Policy for MFA, you don’t need to enable per-user MFA; keep them in a disabled state only.

Do you want to know the per-user MFA status? In a previous article, we discussed how to export Office 365 users MFA status with PowerShell.

Check Azure AD Premium license

Check that you have Azure AD Premium plan 1 or 2. Log into Microsoft Azure. In the portal, navigate to Azure Active Directory > Overview. In the example below, there is no Azure AD Premium subscription.

Move from per-user MFA to Conditional Access based MFA without Azure AD premium subscription

The license needs to show Azure AD Premium P1 or Azure AD Premium P2. In this example, the tenant got the Azure AD Premium P2 license.

Move from per-user MFA to Conditional Access based MFA with Azure AD premium subscription

Check per-user MFA status

Log into Microsoft 365 admin center. Navigate to Users > Active Users > Multi-factor authentication.

Move from per-user MFA to Conditional Access based MFA Microsoft 365 admin center

A new page will open, and it will show all the users and their multi-factor auth status. In our example, we have a couple of users MFA enabled, enforced, and disabled state.

Always enable MFA for users! It will protect the accounts from attacks and compromised passwords. It adds another layer of protection that helps organizations.
multi-factor authentication status

Connect to Azure AD PowerShell

Before converting to Conditional Access MFA, you need to start Windows PowerShell as administrator and connect to Azure AD PowerShell.

PS C:\> Connect-MsolService

Convert per-user MFA to Conditional Access based MFA with PowerShell

An excellent way to convert from per-user MFA to Conditional Access MFA is with PowerShell. Download the Convert-PU-to-CA.ps1 PowerShell script and place it in the C:\scripts folder. Create a scripts folder if you don’t have one.

# Sets the MFA requirement state
function Set-MfaState {

    [CmdletBinding()]
    param(
        [Parameter(ValueFromPipelineByPropertyName = $True)]
        $ObjectId,
        [Parameter(ValueFromPipelineByPropertyName = $True)]
        $UserPrincipalName,
        [ValidateSet("Disabled", "Enabled", "Enforced")]
        $State
    )

    Process {
        Write-Verbose ("Setting MFA state for user '{0}' to '{1}'." -f $ObjectId, $State)
        $Requirements = @()
        if ($State -ne "Disabled") {
            $Requirement =
            [Microsoft.Online.Administration.StrongAuthenticationRequirement]::new()
            $Requirement.RelyingParty = "*"
            $Requirement.State = $State
            $Requirements += $Requirement
        }

        Set-MsolUser -ObjectId $ObjectId -UserPrincipalName $UserPrincipalName `
            -StrongAuthenticationRequirements $Requirements
    }
}

# Disable MFA for all users
Get-MsolUser -All | Set-MfaState -State Disabled

Run Convert-PU-to-CA.ps1 PowerShell script.

PS C:\> cd c:\scripts\
PS C:\scripts> .\Convert-PU-to-CA.ps1

Create MFA Conditional Access policy

In the previous step, you disabled MFA for everyone when running the PowerShell script. If you log in with a user account, it will not ask for MFA. What you need to do is create an MFA Conditional Access policy.

Log in to the Azure portal. Open the menu and browse to Azure Active Directory > Security > Conditional Access. Click on New Policy.

Move from per-user MFA to Conditional Access based MFA new CA policy

Give the policy a name. For example, MFA all users. Select all the users and all cloud apps. Grant access and enable Require multi-factor authentication. Enable the policy and click Save.

It can take a couple of minutes before the Conditional Access policy changes take effect.

Move from per-user MFA to Conditional Access based MFA create CA policy

Azure AD MFA Conditional Access policy is in place. You did successfully move from per-user MFA to Conditional Access based MFA. The last step is to verify the changes and that it’s working.

Verify your work

All users show the MFA status disabled on Microsoft 365 Multi-Factor Authentication page.

multi-factor authentication disabled state

Logging in with an account that already had MFA configured will work again without setting up MFA from scratch.

Move from per-user MFA to Conditional Access based MFA test

Users that do not have MFA enabled or new users created will be asked to go through the MFA setup when they log in for the first time. For example, in portal.office.com.

Move from per-user MFA to Conditional Access based MFA test two

From now on, you will manage MFA from Azure. That’s great because there are many more Conditional Access policy options you can look into and enable per organization requirements.

Read more: Add tag to external emails in Microsoft 365 for extra security »

Conclusion

In this article, you learned how to move from per-user MFA to Conditional Access MFA. Connect to Azure AD with PowerShell. Run the command to convert per-user MFA to Conditional Access based MFA. After that, create a Conditional Access policy in Azure. As of last, test and verify that MFA works when signing in.

Did you enjoy this article? You may also like Add users to group with PowerShell. Don’t forget to follow us and share this article.

ALI TAJRAN

ALI TAJRAN

ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

This Post Has One Comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Back To Top