The Enabling Technologies Blog


Scott Barr / /

Multi-factor Authentication (MFA) Tips and Considerations Part 2

MFA doesn't have to be a full time burden because you can leverage conditional access (with appropriate Azure MFA licensing) to your advantage. Conditional access policies allow you to define specific conditions for when MFA might be enforced for a given sign-in.  

What does that mean? You don't have to enforce an MFA challenge on non-privileged accounts for every sign-in - you pick and choose when MFA should be enforced. 

What are your options for conditional access? 

Who? Scope (assign) it to specific users or groups of users based on their access. Are they high value targets for potential compromise? 

What? Scope MFA to specific applications like Exchange Online, SharePoint Online, or SalesForce. Use different policies for different applications. The more sensitive the application and data being accessed is, the more restrictive the conditional access policy should be. 

When? Scope it to enforce MFA only when a device is not compliant, or the login is deemed risky, or if the device is domain joined. 

Where? Enforce MFA with location conditions, for instance, when the user is off the corporate network, or logging in from an unfamiliar location. 

Ultimately you must decide on what works best for your organization. 

More tips & considerations

DO NOT use the same password in more than one place unless you really don't care about your data. 

  • Check dates on articles for freshness (you check the born-on date for your beer, right?) 
  • Change is constant, just because you did it one-way last week doesn't mean it's done the same way this week - stay abreast of changes 
  • Subscribe to or follow Microsoft blogs - you'll quickly determine whose info is accurate, always refer to Microsoft when reading 3rd party articles as they do get it wrong sometimes (so does Microsoft) - cross-reference and verify your configurations 
  • When creating new policies, start small and COMMUNICATE - use a layered approach and allow time to uncover issues 
  • Twitter, LinkedIn, RSS feeds are excellent resources for the latest info 

 

Other resources: 

 

Conditional Access Best Practices 

Location conditions in Azure Active Directory conditional access 

Subscribe to Email Updates

Refine by

To expand the list, please click on the double arrows.

 

Search by Category or Author: