skip to Main Content

Move from per-user MFA to Conditional Access MFA

It’s best to use Conditional Access based MFA when you have Azure AD Premium P1 or P2. It will give you more control and flexibility when creating a policy. In this tenant, we do have per-user MFA enabled. We like to convert from per-user MFA to Conditional Access based MFA. How will that work? In this article, you will learn how to move from per-user MFA to Conditional Access based MFA step by step.


Moving from Microsoft 365 MFA to Azure Active Directory Conditional Access can be done in three steps:

  1. Move from per-user MFA to Conditional Access MFA (this article)
  2. Move from MFA trusted IPs to Conditional Access named locations
  3. Move from remember MFA on trusted device to Conditional Access sign-in frequency

Conditional Access MFA

You want to move from per-user MFA to Conditional Access MFA without forcing all your users to re-register. Because asking your users to re-register MFA is a big task, and the service desk is not waiting for all these calls. The question is, is it possible to move without re-register MFA? Yes, it is.

If you configure Conditional Access Policy to trigger MFA and disable per-user MFA, you will not be required to re-register for MFA because disabling per-user MFA doesn’t clear the MFA methods. When you use Conditional Access Policy for MFA, you should not enable per-user MFA; keep them in a disabled state only.

Do you want to know the per-user MFA status? In a previous article, we discussed how to export Office 365 users MFA status with PowerShell.

Check Azure AD Premium license

Sign in to Microsoft Azure and check that you have Azure AD Premium plan 1 or 2. In the portal, navigate to Azure Active Directory > Overview. In the example below, there is no Azure AD Premium subscription.

Move from per-user MFA to Conditional Access based MFA without Azure AD premium subscription

The license needs to show Azure AD Premium P1 or Azure AD Premium P2. In this example, the tenant got the Azure AD Premium P2 license.

Move from per-user MFA to Conditional Access based MFA with Azure AD premium subscription

Check per-user MFA status

Sign in to Microsoft 365 admin center. Navigate to Users > Active Users > Multi-factor authentication.

Move from per-user MFA to Conditional Access based MFA Microsoft 365 admin center

A new page will open, and it will show all the users and their multi-factor auth status. In our example, we have a couple of users with the MFA status; enabled, enforced, and disabled.

Important: Disable per-user MFA for all users when enabling MFA using Conditional Access.

multi-factor authentication status

Connect to Azure AD PowerShell

Before converting to Conditional Access MFA, you need to start Windows PowerShell as administrator and connect to Azure AD PowerShell.

PS C:\> Connect-MsolService

Convert per-user MFA to Conditional Access based MFA with PowerShell

An excellent way to convert from per-user MFA to Conditional Access MFA is with PowerShell. Download the Convert-PU-to-CA.ps1 PowerShell script and place it in the C:\scripts folder. Create a scripts folder if you don’t have one.

# Sets the MFA requirement state
function Set-MfaState {

        [Parameter(ValueFromPipelineByPropertyName = $True)]
        [Parameter(ValueFromPipelineByPropertyName = $True)]
        [ValidateSet("Disabled", "Enabled", "Enforced")]

    Process {
        Write-Verbose ("Setting MFA state for user '{0}' to '{1}'." -f $ObjectId, $State)
        $Requirements = @()
        if ($State -ne "Disabled") {
            $Requirement =
            $Requirement.RelyingParty = "*"
            $Requirement.State = $State
            $Requirements += $Requirement

        Set-MsolUser -ObjectId $ObjectId -UserPrincipalName $UserPrincipalName `
            -StrongAuthenticationRequirements $Requirements

# Disable MFA for all users
Get-MsolUser -All | Set-MfaState -State Disabled

Run Convert-PU-to-CA.ps1 PowerShell script.

PS C:\> cd c:\scripts\
PS C:\scripts> .\Convert-PU-to-CA.ps1

Create MFA Conditional Access policy

In the previous step, you disabled MFA for everyone when running the PowerShell script. If you sign in with a user account, it will not ask for MFA. What you need to do is create an MFA Conditional Access policy.

Sign in to the Azure portal. Open the menu and browse to Azure Active Directory > Security > Conditional Access. Click on New Policy.

Move from per-user MFA to Conditional Access based MFA new CA policy

Give the policy a name. For example, MFA all users. Select all the users and all cloud apps. Grant access and enable Require multi-factor authentication. Enable the policy and click Save.

It can take a couple of minutes before the Conditional Access policy changes take effect.

Move from per-user MFA to Conditional Access based MFA create CA policy

Azure AD MFA Conditional Access policy is in place. You did successfully move from per-user MFA to Conditional Access based MFA. The last step is to verify the changes and that it’s working.

Verify your work

All users show the MFA status disabled on Microsoft 365 Multi-Factor Authentication page.

multi-factor authentication disabled state

Signing in with an account that already had MFA configured will work again without setting up MFA from scratch.

Move from per-user MFA to Conditional Access based MFA test

Users that do not have MFA enabled or new users created will be asked to go through the MFA setup when they sign in for the first time. For example, in

Move from per-user MFA to Conditional Access based MFA test two

From now on, you will manage MFA from Azure. That’s great because there are many more Conditional Access policy options you can look into and enable per organization requirements.

Note: Always enable MFA for users! It will protect the accounts from attacks and compromised passwords. It adds another layer of protection that helps organizations.

Keep reading: Add tag to external emails in Microsoft 365 for extra security »


You learned how to move from per-user MFA to Conditional Access MFA. First, connect to Azure AD with PowerShell and run the script to disable per-user MFA for all users. After that, create a Conditional Access policy in Azure. As of last, test and verify that MFA works when signing in.

Did you enjoy this article? You may also like Add users to group with PowerShell. Don’t forget to follow us and share this article.



ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

This Post Has 16 Comments

  1. Any advice on moving from Security Defaults managed MFA to Conditional Access?
    (I had a bit of a bumpy experience with a client, quite a few users’ MFA stopped working)

      1. Security Defaults doesn’t turn on per-user MFA. They all still show as disabled. I still don’t know where Security Defaults turns on MFA

  2. Thanks for a great post. I decided to exclude my trusted office locations from this CA policy however, this meant that new users aren’t prompted to register for MFA the first time they sign in like they were with per-user MFA.

    I would like to make sure they are at least registered so that when they leave the office they are set up. It would also be great to have this automated so that we don’t have to tell them to visit Can you think of the best way to handle this?

    My reasoning around excluding trusted locations is so that multi-function printers can send email without MFA auth and so that users don’t get MFA notification fatigue and hit approve all the time.

  3. Hi Ali, Thank you.!
    Can I, leave some users in User-Based MFA and others in CA rule while we make the transfer?

    1. Make sure that you exclude these users that have per-user MFA enabled from the Conditional Access policy. Also, try it out first with a group (Pilot) before you deploy it to the rest.

  4. Hi Ali, Thanks a lot.!!
    I have a doubt… What happen if i have an user with MFA-per user enabled and added in that Conditional Access rule.

    1. It’s not recommended to have per-user MFA enabled and Conditional Access for the same user. You will have issues with MFA authentication.

      For example, you have Intune and want to sign in to set up the device for the first time. Unfortunately, this will not work, and it will not let you go through the step.

      I recommend using Conditional Access (premium) and only using per-user MFA (basic) when you don’t have Azure AD Premium.

  5. Fixed an issue with an Azure joined devices and conditional access conditions not working. I was trying to exclude MFA for Azure hybrid joined devices. Seems User-Based MFA and Conditional Access do not coexist verry well….
    Due to the fact the test users were user-based enforce, no condition in Conditional Access will exclude the user on a Hybrid Joined devices for MFA. Turning off user based solved the issue! Thanks Ali!!! Great post.

  6. Hi,
    this doesn’t work for me, and i’m confused as to why….
    1. Not sure why you need to use powershell to disable MFA for all users. Surely you just click the global check box at the top of the list and select “disable”. Much quicker, unless i’m missing something here.
    2. If i disable MFA for a specific user then apply a CA policy their account then shows as “enforced” right? However when the users opens outlook (desktop app) it constantly asks for a password and never accepts the correct one. IF, however i change their MFA status to “enabled” it allows the password for outlook through without constantly prompting for it.
    Any advice on this please?

    1. Hi,

      1. If you have a small organization, that’s fine. However, if you have thousands of users, it’s better to use the script and save yourself time.

      2. When you disable per-user MFA and apply the CA policy, the per-user MFA will stay disabled. It should not show as enforced.

      Check that modern authentication is enabled. If not, enable modern authentication in Office 365 admin center.

      Per-user MFA overwrites the CA policy. That’s why it’s working when you enable per-user MFA.

Leave a Reply

Your email address will not be published.