skip to Main Content

Move from per-user MFA to Conditional Access MFA

It’s best to use Conditional Access based MFA when you have Azure AD Premium P1 or P2. It will give you more control and flexibility when creating a policy. In this tenant, we do have per-user MFA enabled. We like to convert from per-user MFA to Conditional Access based MFA. How will that work? In this article, you will learn how to move from per-user MFA to Conditional Access based MFA step by step.

Introduction

Moving from Microsoft 365 MFA to Azure Active Directory Conditional Access can be done in three steps:

  1. Move from per-user MFA to Conditional Access MFA (this article)
  2. Move from MFA trusted IPs to Conditional Access named locations
  3. Move from remember MFA on trusted device to Conditional Access sign-in frequency

Conditional Access MFA

You want to move from per-user MFA to Conditional Access MFA without forcing all your users to re-register. Because asking your users to re-register MFA is a big task, and the service desk is not waiting for all these calls. The question is, is it possible to move without re-register MFA? Yes, it is.

If you configure Conditional Access Policy to trigger MFA and disable per-user MFA, you will not be required to re-register for MFA because disabling per-user MFA doesn’t clear the MFA methods. When you use Conditional Access Policy for MFA, you should not enable per-user MFA; keep them in a disabled state only.

Do you want to know the per-user MFA status? In a previous article, we discussed how to export Office 365 users MFA status with PowerShell.

Check Azure AD Premium license

Sign in to Microsoft Azure and check that you have Azure AD Premium plan 1 or 2. In the portal, navigate to Azure Active Directory > Overview. In the example below, there is no Azure AD Premium subscription.

Move from per-user MFA to Conditional Access based MFA without Azure AD premium subscription

The license needs to show Azure AD Premium P1 or Azure AD Premium P2. In this example, the tenant got the Azure AD Premium P2 license.

Move from per-user MFA to Conditional Access based MFA with Azure AD premium subscription

Check per-user MFA status

Sign in to Microsoft 365 admin center. Navigate to Users > Active Users > Multi-factor authentication.

Move from per-user MFA to Conditional Access based MFA Microsoft 365 admin center

A new page will open, and it will show all the users and their multi-factor auth status. In our example, we have a couple of users with the MFA status; enabled, enforced, and disabled.

Important: Disable per-user MFA for all users when enabling MFA using Conditional Access.

multi-factor authentication status

Connect to Azure AD PowerShell

Before converting to Conditional Access MFA, you need to start Windows PowerShell as administrator and connect to Azure AD PowerShell.

PS C:\> Connect-MsolService

Convert per-user MFA to Conditional Access based MFA with PowerShell

An excellent way to convert from per-user MFA to Conditional Access MFA is with PowerShell. Download the Convert-PU-to-CA.ps1 PowerShell script and place it in the C:\scripts folder. Create a scripts folder if you don’t have one.

# Sets the MFA requirement state
function Set-MfaState {

    [CmdletBinding()]
    param(
        [Parameter(ValueFromPipelineByPropertyName = $True)]
        $ObjectId,
        [Parameter(ValueFromPipelineByPropertyName = $True)]
        $UserPrincipalName,
        [ValidateSet("Disabled", "Enabled", "Enforced")]
        $State
    )

    Process {
        Write-Verbose ("Setting MFA state for user '{0}' to '{1}'." -f $ObjectId, $State)
        $Requirements = @()
        if ($State -ne "Disabled") {
            $Requirement =
            [Microsoft.Online.Administration.StrongAuthenticationRequirement]::new()
            $Requirement.RelyingParty = "*"
            $Requirement.State = $State
            $Requirements += $Requirement
        }

        Set-MsolUser -ObjectId $ObjectId -UserPrincipalName $UserPrincipalName `
            -StrongAuthenticationRequirements $Requirements
    }
}

# Disable MFA for all users
Get-MsolUser -All | Set-MfaState -State Disabled

Run Convert-PU-to-CA.ps1 PowerShell script.

PS C:\> cd c:\scripts\
PS C:\scripts> .\Convert-PU-to-CA.ps1

Create MFA Conditional Access policy

In the previous step, you disabled MFA for everyone when running the PowerShell script. If you sign in with a user account, it will not ask for MFA. What you need to do is create an MFA Conditional Access policy.

Sign in to the Azure portal. Open the menu and browse to Azure Active Directory > Security > Conditional Access. Click on New Policy.

Move from per-user MFA to Conditional Access based MFA new CA policy

Give the policy a name. For example, MFA all users. Select all the users and all cloud apps. Grant access and enable Require multi-factor authentication. Enable the policy and click Save.

It can take a couple of minutes before the Conditional Access policy changes take effect.

Move from per-user MFA to Conditional Access based MFA create CA policy

Azure AD MFA Conditional Access policy is in place. You did successfully move from per-user MFA to Conditional Access based MFA. The last step is to verify the changes and that it’s working.

Verify your work

All users show the MFA status disabled on Microsoft 365 Multi-Factor Authentication page.

multi-factor authentication disabled state

Signing in with an account that already had MFA configured will work again without setting up MFA from scratch.

Move from per-user MFA to Conditional Access based MFA test

Users that do not have MFA enabled or new users created will be asked to go through the MFA setup when they sign in for the first time. For example, in portal.office.com.

Move from per-user MFA to Conditional Access based MFA test two

From now on, you will manage MFA from Azure. That’s great because there are many more Conditional Access policy options you can look into and enable per organization requirements.

Note: Always enable MFA for users! It will protect the accounts from attacks and compromised passwords. It adds another layer of protection that helps organizations.

Keep reading: Add tag to external emails in Microsoft 365 for extra security »

Conclusion

You learned how to move from per-user MFA to Conditional Access MFA. First, connect to Azure AD with PowerShell and run the script to disable per-user MFA for all users. After that, create a Conditional Access policy in Azure. As of last, test and verify that MFA works when signing in.

Did you enjoy this article? You may also like Add users to group with PowerShell. Don’t forget to follow us and share this article.

ALI TAJRAN

ALI TAJRAN

ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

This Post Has 4 Comments

  1. Fixed an issue with an Azure joined devices and conditional access conditions not working. I was trying to exclude MFA for Azure hybrid joined devices. Seems User-Based MFA and Conditional Access do not coexist verry well….
    Due to the fact the test users were user-based enforce, no condition in Conditional Access will exclude the user on a Hybrid Joined devices for MFA. Turning off user based solved the issue! Thanks Ali!!! Great post.

  2. Hi,
    this doesn’t work for me, and i’m confused as to why….
    1. Not sure why you need to use powershell to disable MFA for all users. Surely you just click the global check box at the top of the list and select “disable”. Much quicker, unless i’m missing something here.
    2. If i disable MFA for a specific user then apply a CA policy their account then shows as “enforced” right? However when the users opens outlook (desktop app) it constantly asks for a password and never accepts the correct one. IF, however i change their MFA status to “enabled” it allows the password for outlook through without constantly prompting for it.
    Any advice on this please?

    1. Hi,

      1. If you have a small organization, that’s fine. However, if you have thousands of users, it’s better to use the script and save yourself time.

      2. When you disable per-user MFA and apply the CA policy, the per-user MFA will stay disabled. It should not show as enforced.

      Check that modern authentication is enabled. If not, enable modern authentication in Office 365 admin center.

      Per-user MFA overwrites the CA policy. That’s why it’s working when you enable per-user MFA.

Leave a Reply

Your email address will not be published. Required fields are marked *