Conditional Access Still Preferred Over Per-User MFA

I was asked if the existence of an option to manage per-user MFA in the Entra admin center (Figure 1) means that Microsoft plans better support for this option. The answer is an emphatic no. Microsoft continues to emphasize the use of conditional access policies to enforce multifactor authentication, the logic being that conditional access policies are much more flexible and effective than the somewhat blunt nature of the on-off per-user MFA option.

Largely because per-user MFA originally appeared as a feature bundled with the Office 365 E3 and E5 licenses, the ability to manage user MFA settings was already available through the configure multifactor authentication (MFA) page in the Microsoft 365 admin center. The Microsoft 365 admin center refers to per-user MFA as “legacy.” Curiously, the Entra admin center isn’t so presumptive and restricts itself to a link to the MFA deployment planning guide.

Same User Interface for Per-User MFA

Both the Microsoft 365 admin center and Entra admin center use much the same interface to permit administrators to configure per-user MFA, and both display details of guest and member accounts to configure. Seeing guest accounts in the list sometimes confuses administrators, but it’s because you can enable per-user MFA for a guest account in exactly the same way as for a member account.

If Microsoft wants to focus on conditional access policies as the basis for enabling and enforcing multifactor authentication for Entra ID accounts, why does the option to manage per-user MFA exist in the Entra admin center? You might ask the same question about why Microsoft added a Graph API to deliver the ability to report the per-user MFA state for accounts.

Conditional Access Remains the Strategic Direction

In both cases, I think it’s a simple realization that customers use per-user MFA for their own reasons and that it’s better to have people use per-user MFA than not. Perhaps an organization doesn’t have the Entra P1 licenses necessary to use conditional access policies (a situation more usual in the SME sector than in enterprise tenants). Perhaps they haven’t had the chance to figure out what conditional access policies are needed to protect access for different groups of accounts and apps. Conditional access policies can be complex and it’s easy to develop policies that conflict with each other or block access in unexpected situations.

Microsoft’s direction over the long term remains focused on conditional access policies. Even in the documentation for per-user MFA, Microsoft emphasizes that “The best way to protect users with Microsoft Entra MFA is to create a Conditional Access policy.” To back the assertion up, Microsoft continue to add new features to govern conditional access (with the side effect of increasing the potential for policy complexity) and continues to emphasize the need for strong authentication methods like the authenticator app or passkeys.

Supporting the use of conditional access, Entra ID recommendations include a specific recommendation covering migration from per-user MFA to conditional access. Another recommendation covers movement away from SMS and voice as authentication methods.

Including the option to manage legacy per-user MFA or report the state of per-user MFA for individual accounts doesn’t affect Microsoft’s strategic direction for controlling connectivity to Entra ID tenants. It might just slow progress of some organizations to fully embracing conditional access.

Old Feature on the Way Out

I don’t know why Microsoft chose to include the option to manage per-user MFA in the Entra admin center. Given the long-term direction for Entra, it seems odd to include a legacy feature where a perfectly good admin console supports management of the feature. But perhaps it’s just a matter of adding coverage to the console where administrators might logically look for MFA management. In any case, the important point is that there’s no change of direction. The original method to manage MFA is on the way out. The only question is when Microsoft will announce the date for the axe to descend.

Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.