πŸ” Identity & Access Security

From Notes_Wiki

πŸ” Identity & Access Security

Enable MFA in Microsoft Entra ID (Basic MFA)

Overview: Basic MFA is provided through Security Defaults in Microsoft Entra ID. It enables MFA for all users without complex setup.

Key Points:

  • No license required (Free).
  • Automatically enforces MFA for all users (especially admins).
  • Authenticator app / OTP via email or SMS supported.

How to Enable:

  1. Login to [1](https://entra.microsoft.com).
  2. Go to Entra ID > Overview > Properties.
  3. Click on Manage Security Defaults.
  4. Set Enable Security Defaults = Yes, then click Save.

Difference Between Conditional MFA vs Basic MFA

Overview: Comparison of two MFA enforcement methods – Basic MFA and Conditional MFA.

Feature Basic MFA (Security Defaults) Conditional MFA (CA Policies)
License Free Requires Entra ID P1 or P2
Target Specific Users/Apps No Yes
Risk-Based Access No Yes
Location-Based Rules No Yes
App Granularity No Yes

Use Cases:

  • Use Basic MFA for small organizations or quick setup.
  • Use Conditional MFA for enterprises needing flexibility and control.

Configure Conditional Access MFA – Step-by-Step

Overview: Conditional Access policies allow enforcing MFA only under specific conditions (user, device, app, location).

Step-by-Step:

  1. Disable Security Defaults if enabled.
  2. Go to Microsoft Entra Admin Center > Conditional Access.
  3. Click + New Policy β†’ provide a policy name.
  4. Under Assignments section:
    1. Select target Users or Groups.
    2. Choose target Cloud Apps (e.g., Office 365).
  5. Under Access Controls > Grant:
    1. Select Require multi-factor authentication.
  6. Set policy to On and click Create.

Block/Allow Legacy Authentication using CA Policies

Overview: Legacy authentication protocols (POP, IMAP, SMTP, etc.) don’t support modern authentication methods and pose security risks.

Steps to Block Legacy Auth:

  1. Go to Entra ID > Protection > Conditional Access.
  2. Click + New Policy and name it appropriately.
  3. Under Assignments β†’ select All users.
  4. Under Cloud apps β†’ select All cloud apps.
  5. Under Conditions > Client Apps β†’ select:
    1. Other clients (legacy authentication protocols).
  6. Under Access Controls > Grant β†’ select:
    1. Block Access.
  7. Set to On and click Create.

Benefit: Prevents password spray and brute-force attacks via insecure apps.


Security Defaults vs Conditional Access – What to Choose?

Overview: Comparison of Security Defaults vs Conditional Access to help decide what suits your organization.

Feature Security Defaults Conditional Access
License Needed Free Entra ID P1 or higher
Apply to All Users Yes Selective
Granular Control No Yes
App-specific Rules No Yes
Exceptions No Yes
Risk-based Conditions No Yes

Recommendation:

  • Use Security Defaults if you're a small business or just getting started.
  • Use Conditional Access for advanced control, security posture, and custom rules.