Azure MFA requirement

Vertigo

Vertigo

Vertigo

Soldato
Joined
28 Dec 2003
Posts
16,523
Not sure if this belongs in here but couldn't see anywhere more appropriate.

As I'm sure many are aware, MS are enforcing MFA for Azure logins starting from 15/10. To this end I've been trying to work out how to enable it on my login but am totally lost.

Firstly, I'm getting contradictory information on whether Entra ID P1 is required for MFA or only for conditional access. Can MFA be used without CA and/or without an Entra ID P1 licence?

Secondly, my user account is using a 365 E3 licence which, according to MS, does include Entra ID P1. Despite this, all options to enable MFA are missing or greyed out and some actually say I need "Entra ID Premium" and offer options to start a trial.

I'm lost here and can't work out what I need to do to get this enabled or if I need to pay for additional licences to enable it.
I can't help feeling that, if Entra ID P1 was required to enable MFA then, as MS would effectively be forcing a lot of people to pay for additional licences to enable MFA, there'd have been a lot more publicity and complaints surrounding this change, wouldn't there?

If anyone has any advice or pointers, I'd appreciate it.
 
Yes MFA can be used without CA or without an Entra ID P1 License.

learn.microsoft.com

Microsoft Entra multifactor authentication versions and consumption plans - Microsoft Entra ID

Learn about the Microsoft Entra multifactor authentication client and different methods and versions available.
learn.microsoft.com

All Microsoft 365 plansMicrosoft Entra multifactor authentication can be enabled for all users using security defaults. Management of Microsoft Entra multifactor authentication is through the Microsoft 365 portal. For an improved user experience, upgrade to Microsoft Entra ID P1 or P2 and use Conditional Access.
 
You can enable Security Defaults and it will allow MFA.

You can configure your own MFA method by going to https://aka.ms/mfasetup

You can add your MFA method before enabling Security Defaults.

Microsoft are very slow on requiring this and my experience is that users are reluctant to want to use it unless forced, despite the fact that I've witnessed various account hacks and potential data loss as a result of people not simply using it.

Recommend using the Microsoft Authenticator app vs Phone/SMS.
 
Last edited:
CA is more flexible, think of it as a bunch of if statements

For example you could block countries so people can’t sign in from that location a vpn will soon get round it

You could say if the device is not compliant then don’t allow the sign-in but for that you need intune

Which is included in the Microsoft 365 e3 license
 
Got it working - all fairly simple via security defaults.

Typical Microsoft, obviously obfuscating that you can do it easily (and free) using security defaults and trying to convince you that you need CA and Entra ID P1.

I understand the benefits of CA however this is only needed for a few administrative logins to the Azure portal. We're actually moving away from 365 so I don't have a raft of users all logging into Outlook/Teams/etc every day.
 
You must log in or register to reply here.
Back
Top Bottom