Microsoft has introduced three new Multi-Factor Authentication (MFA) conditional access policies to enhance security for users accessing their services. In fact, Microsoft is turning on these features, whether you like it or not.
Based on feedback from our clients, Microsoft’s documentation is a bit hard to read due to the technical aspects of the policies, many rules and exceptions, and jargon. Reading through Microsoft’s materials is likely not going to help a non-technical person understand this change very well.
Why should you care? If you’re caught off guard by these mandatory changes, you’re going to have an unpleasant day sometime between now and the next few months. Your IT support is going to get lots and lots of calls from angry people who suddenly cannot log into their Microsoft 365 without setting up MFA. At that point, MFA is not an option.
This article will help you understand what’s coming, anticipate what you need to do, and get ahead of the disruption. So, let’s take a deep breath, step back to see the forest for the trees, and unpack this complex yet important security update from Microsoft.
First, Some Definitions
Because these policies are complicated, it’s best to define two important terms.
- Multi-factor authentication (MFA): MFA is a security measure that requires users to provide two or more forms of verification before gaining access to an account, system, or application, adding an extra layer of security beyond just a password. Even if a password is compromised, an attacker would still need access to the additional verification factors (such as a code sent to your phone) to gain entry.
- Conditional Access: This is the ability to apply specific access policies based on certain conditions or criteria. These conditions may include factors such as who the user is, what device they use, their location, and what kind of information they are trying to access. For example, if Steve is a full-time employee in marketing who works onsite from a company-issued desktop computer and Stephanie is a contractor with access to sensitive financial information who works remote from her personal laptop computer, they may have different authentication steps.
So, now you’ve gotten a refresher on MFA and some clarity about what “conditional access” means. Let’s next look at the policies that Microsoft is pushing into your environment.
What Are the New Microsoft Conditional Access Policies?
In the most succinct, non-technical terms, the three policies include the following:
Policy 1: MFA for administrative portals
Any user with administrative access to a Microsoft 365 administrator portal must have MFA enabled.
This is a no-brainer. Administrative access gives a cyberattacker access to all your sensitive and confidential information within Microsoft 365. Locking this information down with MFA is essential and critical in this era of cybersecurity.
Policy 2: MFA for individual users
This policy ensures that all users are required to use MFA when accessing Microsoft services. Users will log in with MFA once and then only periodically sign in with MFA going forward. Any standard users need this kind of login.
Policy 3: MFA for high-risk sign-ins
If there are signs of a risky sign-in (such as logging in from an unusual location or device), even if it’s a trusted user, then Microsoft automatically forces the user to reauthenticate using MFA.
How Do These Conditional Access Policies Impact Me?
A great way to understand how you’ll be impacted is by asking yourself a few questions.
1. Do I have the right licenses?
Microsoft needs to know more about a user’s identity than it used to in order to increase authentication security—which means tracking more of your behavior about where you are and what you're doing. All of that is more complicated, which means more resources are needed to do it, which means you need a license that includes the right feature set to perform this authentication.
The new conditional access policies apply to specific licenses.
- Policy 1: Microsoft Entra ID P1 and P2.
- Policy 2: Microsoft Entra ID P1 and P2.
- Policy 3: Microsoft Entra ID P2 only.
Previously known as Microsoft Azure Active Directory (Azure AD), Entra is the backend platform used to manage Microsoft 365. With Entra, IT professionals can manage user access to resources such as applications, data, and services.
These policies only apply to two flavors of Entra.
- P1 License: It’s most probable your organization has this common enterprise license. P1 includes features such as user authentication, single sign-on, conditional access, identity protection, self-service password reset, group-based asset management, secure remote access, and several other features related to Azure Active Directory.
- P2 License: If you’re a larger organization, you may have this license. P2 includes the same features as P1 but also adds identity governance, privileged identity management, advanced identity protection, and several advanced features related to Azure Active Directory.
2. Have I already enabled conditional access MFA?
Despite having the right licenses, you may not have MFA enabled already. It’s possible that your IT service provider or IT team has already turned on conditional access as part of keeping your cybersecurity up-to-date. If so, you’re fine.
If not, then you’ve either disabled conditional access MFA or you’re likely using an older, simpler version of MFA—where you would turn MFA on or off for everyone. Under this situation:
- If you’ve got MFA turned on for everyone, great. The policies will simply add some nuance on the backend and (if you have a P2 license) risky-sign ins will require extra MFA authentication.
- If you don’t have MFA turned on, then these policies will cause the greatest disruption for your organization as Microsoft forces you to switch to the new conditional access MFA.
How To Avoid an Angry Day of Disruption
If conditional access is not currently enabled at your organization, then you have a 90-day “report-only mode” window (which means that these policies are deployed but not enabled) before they are turned on. You’ll have to look on the backend of your Entra platform to see if and when they’ve been deployed. It’s up to Microsoft when they deploy, and we’ve seen no rhyme or reason across clients as to the timing.
At the end of your 90-day period, MFA will take effect for all your users. That means disruption is a big risk if you don’t have MFA enabled. A day will come when everyone goes to log in and they're suddenly being told they need to download an app, set up their account on the app, get a code, etc. There is an opportunity for many people to have a really confusing day in the near future.
If you don’t have MFA enabled, it’s likely because of exceptions. To put it delicately, some people are not fans of MFA. If that’s the case, these people are going to be the least prepared (and happy) about this change. Based on the pressure of these people, you may be tempted to disable these new policies as soon as Microsoft begins to enforce them.
Don’t give in to that temptation!
To Disable, or Not to Disable? It’s Not a Question!
We recommend that everyone should have conditional access policies enabled. Period. Microsoft decided to push these policies because organizations are finding too many ways to get around using MFA. Lack of MFA seriously compromises security, and Microsoft wants Entra and Microsoft 365 to be as secure as possible for its users.
Consider that:
- 99.9% of account compromise attacks can be blocked by MFA.
- 80% of data breaches are the result of cyberattackers using stolen user credentials or “brute force” attacks (when a cyberattacker tries many password combinations to attempt unauthorized account access).
We have entered a progressively more dangerous world in relation to cyber threats. If you choose to disable MFA, it’s like not having seat belts in your car. You can still drive, but you're risking your life. While cyberattacks often aren’t life and death scenarios, they can seriously hurt your organization and sometimes shut down businesses.
Get Ahead of MFA Disruption
For this immediate problem, time is running out. Microsoft will push these policies into your environment soon. Your IT provider or someone on your IT team should have already reached out to you about this situation. Otherwise, many employees won't know this is happening until they are forced to authenticate with MFA, and they will have a frustrating day as your IT support gets overwhelmed.
It’s also important to keep the future in mind. It would be a mistake to think that Microsoft will stop its security requirements here. Expect periodic adjustments of what constitutes mandatory cybersecurity policies. It’s best to start thinking about MFA and other cybersecurity policies as something that’s never completed. Best practices must keep up with cyberattacker strategies.
To become proactive instead of reactive, your cybersecurity best practices must be continually addressed and updated. MFA and other cybersecurity protocols become more complex with each passing year. It used to be simpler, but now there are many gradations and nuances to setting up the right security configurations. Cyberattackers are constantly looking for weak points, and lack of MFA is a major weak point within many organizations.
Most small managed service providers or internal IT departments will struggle with this complexity on top of everything else they do. Microsoft security policies and configurations are fast becoming a specialization. You need someone who can keep an eye on it and stay ahead of potentially disruptive changes and security risks.
If you’re unsure about your current MFA status, reach out to us though the form below.