π Identity & Access Security
π Identity & Access Security
Enable MFA in Microsoft Entra ID (Basic MFA)
Overview: Basic MFA is provided through Security Defaults in Microsoft Entra ID. It enables MFA for all users without complex setup.
Key Points:
- No license required (Free).
- Automatically enforces MFA for all users (especially admins).
- Authenticator app / OTP via email or SMS supported.
How to Enable:
- Login to [1](https://entra.microsoft.com).
- Go to Entra ID > Overview > Properties.
- Click on Manage Security Defaults.
- Set Enable Security Defaults = Yes, then click Save.
Difference Between Conditional MFA vs Basic MFA
Overview: Comparison of two MFA enforcement methods β Basic MFA and Conditional MFA.
Feature | Basic MFA (Security Defaults) | Conditional MFA (CA Policies) |
---|---|---|
License | Free | Requires Entra ID P1 or P2 |
Target Specific Users/Apps | No | Yes |
Risk-Based Access | No | Yes |
Location-Based Rules | No | Yes |
App Granularity | No | Yes |
Use Cases:
- Use Basic MFA for small organizations or quick setup.
- Use Conditional MFA for enterprises needing flexibility and control.
Configure Conditional Access MFA β Step-by-Step
Overview: Conditional Access policies allow enforcing MFA only under specific conditions (user, device, app, location).
Step-by-Step:
- Disable Security Defaults if enabled.
- Go to Microsoft Entra Admin Center > Conditional Access.
- Click + New Policy β provide a policy name.
- Under Assignments section:
- Select target Users or Groups.
- Choose target Cloud Apps (e.g., Office 365).
- Under Access Controls > Grant:
- Select Require multi-factor authentication.
- Set policy to On and click Create.
Block/Allow Legacy Authentication using CA Policies
Overview: Legacy authentication protocols (POP, IMAP, SMTP, etc.) donβt support modern authentication methods and pose security risks.
Steps to Block Legacy Auth:
- Go to Entra ID > Protection > Conditional Access.
- Click + New Policy and name it appropriately.
- Under Assignments β select All users.
- Under Cloud apps β select All cloud apps.
- Under Conditions > Client Apps β select:
- Other clients (legacy authentication protocols).
- Under Access Controls > Grant β select:
- Block Access.
- Set to On and click Create.
Benefit: Prevents password spray and brute-force attacks via insecure apps.
Security Defaults vs Conditional Access β What to Choose?
Overview: Comparison of Security Defaults vs Conditional Access to help decide what suits your organization.
Feature | Security Defaults | Conditional Access |
---|---|---|
License Needed | Free | Entra ID P1 or higher |
Apply to All Users | Yes | Selective |
Granular Control | No | Yes |
App-specific Rules | No | Yes |
Exceptions | No | Yes |
Risk-based Conditions | No | Yes |
Recommendation:
- Use Security Defaults if you're a small business or just getting started.
- Use Conditional Access for advanced control, security posture, and custom rules.