In Azure AD, the Conditional Access policy gives the flexibility to secure Microsoft 365 applications based on different criteria and conditions. We can use the Multi-factor Authentication with Conditional Access to enable MFA for users during specific sign-in conditions. For example, enforce MFA when users sign in from unmanaged devices, untrusted IPs, or untrusted locations. In this post, we will explore how to create a new Conditional Access policy in Azure AD and configure MFA for users via security group membership.
Summary
- Requirements to set up MFA with CA policy
- Create a Conditional Access policy and Configure MFA settings
- Verify MFA Sign-in with Test user account
Requirements to set up MFA with CA policy
- Azure AD tenant with Azure AD Premium P1 (minimum) or trial license enabled for all the required users.
- A test user account (ex: MFATestUser) to verify the end-user MFA experience.
- A security group (ex: MFA-Security-Group) that includes the test user as a member. We will assign the new CA policy to this group. Later, you can add more users to this group if everything works fine with the test user.
Create a Conditional Access policy and Configure MFA settings
Follow the below steps to create a new CA policy and assign it to security group members.
- Sign in to the Azure portal with a Global administrator account, go to Azure Active Directory blade.
- On the Azure Active Directory pane, on left-side navigation, select Security in the Manage section.
- In the Security page, on left-side navigation, select Conditional Access in the Protect section.
- On the Conditional Access policies page, click + New policy and select Create new policy.
- Enter a name for the new policy (ex: MFA Test Policy).
- Under Assignments, choose Users or workload identities, then check the Select users and groups radio button.
- Check the box for Users and groups to select users or groups.
- Search and select the security group (ex: MFA-Security-Group), then click Select button.
- Under Cloud apps or actions, choose All cloud apps. If needed, you can select specific apps or exclude certain apps from the policy.
- Under Conditions, choose Device platforms as Any device and Location as Any location. If needed, you can define your own conditions based on your requirement.
- Under Access controls, click Grant, choose Grant access, check the option Require multi-factor authentication, then click Select button.
- Set the Enable policy toggle to On.
- Finally, click Create button to create the policy.
- The new CA policy is created successfully. Now, you can sign in with the test user into any one of the Microsoft 365 applications (ex: Teams) and check the MFA prompt.
Verify MFA Sign-in with Test user account
Once you successfully created the Conditional Access policy that grants access only with Azure MFA, follow the below steps to check the MFA user login-in flow.
- Open a new browser window in InPrivate or Incognito mode or create a new user profile in the browser.
- Sign in to any one of Microsoft 365 online clients (ex: Teams), or simply open the Multi-factor Verification page.( https://account.activedirectory.windowsazure.com/UserManagement/MultifactorVerification.aspx ).
- Sign in with the test user account (ex: MFATestUser) that you have added as a member of the test security group (ex: MFA-Security-Group).
- After providing test user credentials and clicking the Sign button, you will see the below window with the message More information required. This window ensures that the CA policy is applied successfully to the user. Now, click Next to proceed.
- The next window will ask you to set up the Multi-factor Authentication methods, such as Microsoft Authenticator app or Phone code.
- In my case, I have selected the Phone code method to test the case with phone OTP code.
- In the next steps, provide your phone number and complete the OTP code verification to register your phone number for Phone code authention method.
- Close and open the browser window. Sign-in again with the test user into the Multi-factor Verification page, now the registered phone number receives the OTP code and you have to enter the code to proceed.