In our previous chapter of the Microsoft 365 Setup Guide, we covered the different forms and locations of Multi-Factor Authentication. In this installment, we are covering how to re-baseline MFA within an environment to ensure you are using MFA best practices.
Often, organizations transfer management of Microsoft 365 from hand to hand every few years. To maintain a consistent baseline standard of security, we recommend auditing current MFA methods and enforcement.
Interested in a Step-by-Step Microsoft 365 SOP Checklist?
If you’re looking to simplify and standardize your Microsoft 365 setup, our detailed Microsoft 365 SOPs offer step-by-step checklists and templates to guide you through every aspect of configuration.
Contact us using the button below for access to these comprehensive resources designed to ensure security and efficiency in your Microsoft 365 environment.
MFA Best Practices: Re-Baselining
Multi-Factor Authentication (MFA) has become an essential tool for protecting sensitive information and preventing unauthorized access. However, merely implementing MFA is not enough to ensure security. Organizations should prioritize re-baselining because it is a key MFA best practice. Re-baselining refers to the process of periodically reviewing and updating the security measures in place to ensure they remain effective against evolving threats.
By regularly re-baselining MFA systems, organizations can identify and address security gaps, update authentication processes to align with industry best practices, and enhance overall security posture. This practice helps to mitigate the risk of breaches and ensures that MFA remains a robust defense mechanism. Additionally, re-baselining allows organizations to adapt their MFA strategies to changing business needs, technology advancements, and regulatory requirements, thereby staying ahead of potential security threats.
Organizations can stay proactive and agile in the face of evolving security challenges by embracing re-baselining as a core practice.
This portion of the guide helps you establish a baseline set of standard operating procedures to apply to each tenant you encounter. Having clear instructions and guidelines will allow you to be an efficient and diligent MSP.
This next set of instructions is set up in a way that will allow you to:
- Identify the number of users and accounts that are using MFA
- Clean up and improve MFA adoption
- Streamline your MFA deployment
- Exclude service accounts from potentially being impacted unnecessarily
- Migrate from legacy MFA methods to prevent yourself from kicking that can further down the road (unless you’re using security questions for SSPR policies, but that will come later)
Migrating from Legacy MFA (Per-User and SSPR) is fairly straightforward, but this process requires a bit of analyzing and planning on your end as this has a huge User and Service Account impact.
Verify Licensing Requirements for Conditional Access
Before diving into Conditional Access within Microsoft 365, it’s important to understand its fundamental inclusion within the Entra ID P1 or Entra ID P2 license assignment. The key aspect to note is that Conditional Access is a feature that is bundled within these specific licenses.
Verify Your License:
- Go to Entra.microsoft.com > Identity > Overview > License.
- Check to confirm that your license type is P1 or P2
Conditional Access Requirements: If the license isn’t available, purchase one to enable Conditional Access Policies.
While acquiring just one license is sufficient to unlock this capability within the Microsoft 365 suite, it is critical to assign either a P1 or P2 license to each user, in order for them to fully leverage the functionalities that come with this licensing.
1. Determine Types of Per-User MFA in Use
Before migrating to the new Authentication Methods policies, it’s essential to understand which Per-User MFA methods your organization currently uses. This review will ensure a smooth transition to updated policies and maintains secure, reliable access protocols.
The following table provides an overview of legacy Per-User MFA methods and their corresponding new Authentication Method policies.
Per-User MFA Methods to Authentication Method Policy
- Call to phone = Voice calls
- Text message to phone = SMS
- Notification through mobile app = Microsoft Authenticator
- Verification code from mobile app or hardware token
- = Third-party software OATH tokens
- = Hardware OATH tokens
- = Microsoft Authenticator
Examples of Use:
- If users previously received MFA codes via SMS (Text message to phone), they will transition to SMS under the new policies.
- Users using app notifications will continue with Microsoft Authenticator
Note: Verifying these methods before migration helps prevent disruptions for end-users and ensures all devices and applications align with the new methods.
2. Determine # of Per-User MFA Enabled / Enforced
To effectively migrate to the new authentication methods, it’s crucial to first identify users’ current MFA status. This step helps ensure that users experience a seamless transition, reducing potential disruptions.
Navigate to Legacy MFA Settings:
Go to Entra.microsoft.com > Users > All Users > Per-user MFA to access the legacy MFA settings.
Review MFA Status for Each User:
Check whether each user has MFA enabled, enforced, or disabled.
Deployment Guidelines for Different MFA Groups
Each group of users may have different levels of familiarity with MFA, so handle them with care to avoid login issues or confusion.
Determining Number of Enabled and Enforced Users
Once you’ve reviewed each user’s MFA status, take a final count of users with enabled or enforced MFA. Document these numbers as part of your migration plan.
- Enabled Users: Track these users for additional support, as they may not have completed the MFA setup process.
- Enforced Users: These users are accustomed to MFA, so the migration should be smooth for them.
- Disabled Users: Ensure that these users are ready for the transition with appropriate training and support.
You can create a targeted plan for deploying MFA policies effectively by carefully reviewing and grouping users based on their MFA status. This will ensure that each user’s experience is as seamless as possible during the migration.
3. Identify if Security Defaults are Enabled
Identify if Security Defaults are Enabled
To determine whether Security Defaults are currently active for your tenant, follow these steps:
Access Security Defaults:
Go to Entra.microsoft.com > Identity > Overview > Properties > Security defaults.
Check Security Default Status:
Look for a toggle button under Security Defaults. If it shows that Security Defaults are Enabled, this means they are applied across the entire tenant.
If Security Defaults are Disabled, you will not see this toggle. Instead, there will be an option to Manage Conditional Access.Document the Current Setting:
For now, note whether Security Defaults are enabled or disabled. You’ll return to this setting later in the guide if adjustments are needed.
Next Steps:
If Security Defaults are enabled: Skip the next step and move directly to Step 5: Review SSPR MFA Settings.
If Security Defaults are disabled: Proceed to Step 4: Identify if MFA Policies are Created to start configuring custom Conditional Access policies.
ℹ️ Disabling Security Defaults will have a huge impact on the overall Microsoft Secure Score and will require that you institute like-policies and configurations in order to secure the tenant and bring the score back to what it was prior or higher.
4. Identify if MFA Policies are Created
In this step, you’ll verify whether Conditional Access Policies for MFA are already in place and determine which policies are needed to enforce MFA across different user groups. Microsoft provides both pre-configured templates and options for creating more granular policies.
Steps to Check and Set Up MFA Policies
Access Conditional Access Policies:
- Navigate to Entra.microsoft.com > Protection > Conditional Access > Policies to review existing Conditional Access policies.
Use Microsoft’s Pre-Configured MFA Templates
- At a minimum, check if the out-of-the-box MFA template from Microsoft is already enabled. This template targets All Users, including Admins, Guest Users, and Active Users.
- If no policies are present: Click + New policy from template and select the appropriate templates for your organization’s needs. Microsoft’s template provides a quick way to enforce MFA broadly across the tenant.
Consider Granular MFA Policies:
If you need more targeted control, create granular Conditional Access policies that allow you to apply MFA selectively based on user roles or group types.
To create a custom policy, go to Entra.microsoft.com > Protection > Conditional Access > Policies > + Create new policy.
Granular policies can be customized to enforce MFA for specific groups, such as admins, guest users, or other categories of users, allowing for more flexibility and control.
Example Granular MFA Policies
Below is an overview of typical granular policies that can be created to manage MFA enforcement at different levels:
- MFA for All Active Users: Enforces MFA for general users while excluding service accounts and critical admin accounts.
- MFA for Guest Users: Applies MFA requirements specifically to external users, ensuring secure access while preventing unnecessary MFA prompts for internal users.
- MFA for Admins Only: Targets high-privilege roles, such as admins, requiring MFA for accessing sensitive administrative functions.
Tip: Granular policies provide flexibility, allowing you to enforce MFA selectively without impacting all users. This approach is particularly useful in complex environments where certain user groups require different levels of security.
EX: GRANT - MFA for All Active Users
Description: This will enforce MFA for your MFA required users.
Impact: Because this policy only includes users that are added to the MFA required users group, impact should be minimal as they should have been using MFA already, unless you are forcing the Microsoft Authenticator app. There is somewhat of a learning curve but nothing too crazy. You can use the Insights and reporting tab once the policy is created to see if any users would fail and which ones would success.
Users: MFA Enforced Users group, Exclude Break glass admin accounts
Target resources: All cloud apps
Network: Not configured
Conditions:
- Select Client apps
- Set Configured to Yes
- Select the client apps this policy will apply to
- Browser
- Mobile apps and desktop clients
- Exchange ActiveSync clients
- Other clients
By clicking Exchange ActiveSync clients and Other clients, users might lose access to their default mail apps if they are signed into the Mail app on iOS devices or similar, at which point they’ll need to sign in again.
Grant:
- Set to Grant access
- You can select Require multifactor authentication option or you can select Require authentication strength: Multifactor authentication
Selecting Passwordless MFA and Phishing Resistant MFA as your Authentication strength will require additional configuration that will not be completed at this time. Enabling these settings now may result in you losing access to your tenant.
Session: 0 controls selected, you can set this to any frequency that you would like.
Enable policy: Report-only
By setting the policy in Report-only mode, you can allow the logs to generate over about a week’s time and go back to review the impact for the users that you targeted.
If you want to see what turning on MFA would look like for the whole organization and assess the number of users who would fail, you would switch Users from MFA Enforced Users to All Users, while still excluding the Break Glass accounts.
Switch to All Users would also include Guest and External user accounts as well.
5. Review SSPR (Self-Service Password Reset) MFA Settings
In this step, review and document the Self-Service Password Reset (SSPR) methods currently configured. This information will help ensure a smooth transition to the new authentication methods and provide a clear record of existing reset options.
Steps to Review SSPR MFA Settings
Go to Entra.microsoft.com > Protection > Password reset > Authentication methods to review the Self-Service Password Reset configurations.
Document the Number of Methods Required:
Note the number of authentication methods required for a password reset. This information is useful, although not critical for migration purposes.
Record Available SSPR Methods:
Document the specific SSPR methods available to users. This ensures that you have a clear record of which options users can currently use for password reset. Available options might include:
- Mobile app notification
- Mobile app code
- Office phone
- Security questions (Note: Security questions cannot be migrated to the new Authentication methods; if these are enabled, plan to delay migration for this aspect of the policy.)
Important Considerations for Migration
- Migration Limitations: If security questions are currently in use, you will need to delay migrating this part of the policy until an alternative reset method is in place.
- Document All Settings: Having a complete record of these settings helps with policy review and ensures you can reconfigure equivalent methods under the new Authentication Methods policy if needed.
Reviewing and documenting the current SSPR MFA settings provides insight into which password reset methods users can access. This documentation supports a smooth migration to new policies by ensuring that equivalent reset methods are available, reducing the chance of disruptions for end-users.
6. Review Authentication Methods for SSPR and Per-User Migrations
In this step, review the authentication methods documented for Self-Service Password Reset (SSPR) and Per-User MFA to ensure they are properly configured in the new Authentication Methods policy. This review allows for a smooth migration while maintaining security across the organization.
Configure First-Time MFA Setup or MFA for All Users
Based on your organization’s needs, choose between two MFA rollout options:
First-Time MFA Setup:
- If this is your first MFA rollout and you want controlled enrollment, configure MFA using the MFA security groups created earlier.
- Steps:
- Target the MFA Required user group.
- Exclude the MFA Excluded user group to prevent unnecessary MFA prompts.
- This approach ensures only selected users are required to enroll in MFA, making it ideal for a gradual rollout.
Enforce MFA for All Users:
If enforcing MFA across the entire organization, target All Users while still excluding the MFA Excluded group.
Result: This setup avoids repetitive MFA prompts for accounts that should remain unaffected, streamlining the MFA process for regular users.
Manage MFA Migration Settings
Access Migration Settings:
Go to Entra.microsoft.com > Protection > Password reset > Authentication methods > Policies > Manage Migration.
Set Migration Status:
Set the migration to In Progress if you are actively transitioning Per-User and SSPR policies to the new Authentication Methods policies.
⚠️ Important: Do not set the migration to Complete while Per-User MFA is still enforced, as this could lock users out of their accounts by preventing access with their previous authentication methods.
Configure Microsoft Authenticator for Enhanced Security
To protect against MFA fatigue and improve security, configure Microsoft Authenticator with number and location matching:
Enable Microsoft Authenticator Settings:
Navigate to Entra.microsoft.com > Protection > Password reset > Authentication methods > Policies and select Microsoft Authenticator.
Set Target and Exclusions:
In the Enable and Target section, choose Enable.
Under Include, set the User Scope to the MFA Required group or All Users if rolling MFA out organization-wide.
Under Exclude, add the MFA Excluded group.
Configure Matching Options:
Enable the following settings:
- Number Matching for Push Notifications
- Application Name in Push and Passwordless Notifications
- Geographic Location in Push and Passwordless Notifications
These settings enhance security by ensuring users are more mindful of authentication requests, reducing MFA fatigue. Leave the Microsoft Authenticator on companion applications as is.
Review and Migrate SSPR and Per-User MFA Authentication Methods
Review SSPR Authentication Methods:
For each enabled SSPR method, configure a corresponding method under the new Authentication Methods policy.
ℹ️ Note: If certain methods, such as email OTP, are primarily used for guest users, you may choose to exclude or modify these settings based on organizational needs.
Review Per-User MFA Authentication Methods:
For each enabled Per-User MFA method, configure the same method under the new Authentication Methods policy.
ℹ️ Note: If specific methods are not intended for future use, you may choose not to migrate them. Email OTP, for instance, is commonly used for guest accounts, and SMS may be optional depending on user requirements.
7. Review Registration Campaign Settings
The MFA Registration Campaign allows you to enforce MFA enrollment via the Microsoft Authenticator over a defined period. This setting gives users the flexibility to enroll gradually while providing administrators control over the deployment process.
Navigate to Registration Campaign Settings:
Go to Entra.microsoft.com > Protection > Authentication methods > Registration Campaign > State.
Review Possible Campaign States:
The Registration Campaign can be set to one of three states:
- Enabled: The campaign is actively enforced, prompting users to set up MFA.
- Disabled: The campaign is turned off, and users are not prompted to enroll in MFA.
- Managed: Currently managed by Microsoft and will be enforced when Microsoft chooses.
Define the Enforcement Window:
When Enabled, the Registration Campaign requires users to enroll in MFA over a 1 to 14-day window. Users will receive prompts to set up Microsoft Authenticator and can choose to Snooze the prompt within the specified timeframe if they’re not ready to enroll immediately.
Configure Exclusions:
If using this method to deploy MFA, add the Exclude MFA group to prevent certain users or groups from being prompted for MFA registration.
Document Settings if Not Using the Registration Campaign:
If you do not plan to use the Registration Campaign for enforcing MFA, document the current settings. You can revisit and enable this option later if needed.
8. Disable Security Defaults (if Enabled)
If you haven’t created Conditional Access policies yet, you’ll need to disable Security Defaults to make this functionality available. Disabling Security Defaults allows for more customized security settings, but keep in mind that it may take 15 minutes to an hour for the changes to fully take effect, depending on the size of your tenant.
Access Security Defaults Settings:
Navigate to Entra.microsoft.com > Identity > Overview > Properties.
Manage Security Defaults:
Select Manage security defaults from the properties menu.
Disable Security Defaults:
Set Security Defaults to Disabled.
Reason for Disabling: Provide a reason for disabling Security Defaults to document your decision. This is useful for auditing purposes and helps maintain a record of configuration changes.
Save Changes:
Click Save to apply the new settings.
Note: Disabling Security Defaults is essential for enabling Conditional Access policies, but it also requires careful planning to replace these default protections with customized policies that secure your tenant effectively.
9. Create Conditional Access Policies for MFA
Use the link below to create the Conditional Access Policies for MFA and set the policy to Report-Only.
#identify-if-mfa-policies-are-created
⚠️ Important: When setting up these policies, ensure that you exclude your Break Glass admin accounts. Excluding these accounts is essential to prevent accidental lockouts, ensuring that administrators retain access to the tenant in case of emergency.
10. Enable Conditional Access Policy MFA and Disable Per-User MFA
For users with Per-User MFA enforced, follow these steps to transition them to Conditional Access Policies:
Disable Per-User MFA:
Go through each user currently using Per-User MFA and disable this setting. This step ensures that MFA enforcement will now rely on the Conditional Access Policies rather than individual user settings.
Enable Conditional Access Policies for MFA:
Once Per-User MFA is disabled, enable the Conditional Access Policies for MFA to apply these settings across users and admins.
Exclude Specific Accounts:
Double-check that Break Glass admin accounts and any MFA Excluded accounts are not affected by the new policies, ensuring uninterrupted access for critical accounts.
This approach provides consistent and controlled MFA enforcement across the organization, improving security while maintaining necessary account access.
Expanding MFA Enforcement to All Users
If you have been gradually rolling out MFA by targeting specific MFA-required user groups, you will eventually reach a point where MFA enrollment is complete across the organization.
Adjust Conditional Access Policy Scope:
Once all targeted users have enrolled in MFA, expand the Conditional Access policy scope to include All Users. This ensures comprehensive MFA enforcement across the tenant.
Include Excluded MFA Users in Security Groups:
Update the security groups to include any previously excluded users, ensuring that all necessary accounts are accounted for within the Conditional Access policies.
Document All Exclusions:
Carefully document any exclusions, including the reason for each. Maintaining a record of exclusions is essential for auditing and future security reviews.
Completing these steps ensures that MFA is enforced organization-wide while keeping an accurate record of necessary exclusions.
11. Disable SSPR MFA and Per-User MFA Settings
As part of the migration to new Authentication Methods, follow these steps to disable legacy SSPR MFA and Per-User MFA methods and finalize the migration status.
Disable SSPR MFA Authentication Methods
Access Per-User MFA Settings:
Go to Entra.microsoft.com > Users > All Users > Per-user MFA.
Adjust SSPR Method Settings:
Set the method to 1 and uncheck all options for policies that have been migrated to the new Authentication Methods.
Note: If you’re waiting to migrate Security questions and intend to use them, leave this box checked. This ensures that end-users will retain their security questions until the migration is complete.
Disable Authentication Methods for Per-User MFA
Navigate to Service Settings for Per-User MFA:
Go to Entra.microsoft.com > Protection > Password reset > Authentication methods.
Uncheck Legacy MFA Options:
Under Service Settings for Per-User MFA, uncheck all options that were previously configured for MFA. Save these changes to ensure policies have been migrated to the new Authentication Methods.
Finalize the MFA Migration Status
Update Migration Status to Complete:
Go to Entra ID > Protection > Password reset > Authentication methods > Policies > Manage Migration.
Set to Migration Complete:
Change the migration status to Migration Complete to finalize the transition.
ℹ️ Note: If you’re waiting for Security questions to be fully migrated to the new Authentication Methods, you can temporarily set the migration status back to In Progress as needed.
Create Registration Campaign for Authenticator App
To set up a Registration Campaign that prompts users to enroll in Microsoft Authenticator for MFA, follow these steps:
Access Registration Campaign Settings:
Go to Entra.microsoft.com > Protection > Authentication methods > Registration campaign.
Enable the Registration Campaign:
Set the campaign to Enable to initiate the prompt for users to set up Microsoft Authenticator.
Configure Snooze Options and Exclusions:
Choose a timeframe (1 to 14 days) that allows users to Snooze the registration prompt if they’re not ready to enroll immediately.
Add any Excluded MFA groups to prevent specific users or groups from receiving the enrollment prompt.
ℹ️ Note: Future articles on Conditional Access will cover advanced configurations, including Device Enrollment MFA and settings like Phishing Resistant MFA for enhanced security.
Configuring a Registration Campaign for Microsoft Authenticator allows you to prompt users to enroll in MFA over a flexible timeframe, enhancing security with minimal disruption. Adding exclusions and snooze options ensures a smooth user experience tailored to organizational needs.
Summary
Implementing MFA across an organization requires careful planning, user communication, and strategic configuration to ensure both security and usability. Starting with a review of current Per-User MFA and SSPR settings allows you to identify existing authentication methods and smoothly transition to new, more robust Conditional Access Policies. You can prompt users to set up MFA on a flexible timeline by configuring Microsoft Authenticator through a Registration Campaign. Doing so will ensure seamless enrollment and minimal disruption.
Throughout this process, it’s essential to document all security configurations, exclusions, and user groups for auditing and compliance purposes. As you expand MFA enforcement to All Users, maintaining a record of exclusions and reviewing the impact of each security change helps safeguard both user access and organizational assets.
This phased approach ensures a comprehensive MFA rollout that strengthens security across the organization, minimizes end-user impact, and prepares for advanced configurations, such as Device Enrollment MFA and Phishing-Resistant MFA. Following these steps, your organization can achieve a secure, scalable authentication strategy that meets evolving security needs.
Note: Enabling MFA across the organization is a vital step toward improved security, but it requires careful planning to minimize disruptions. Communicate the changes to users in advance, prepare support resources, and exclude critical service accounts to avoid interruptions. Additionally, assess the impact on applications and consider a phased rollout to ease the transition. By taking these steps and monitoring feedback, you can implement MFA effectively, boosting security while maintaining a smooth user experience.
The Complete Guide to Microsoft 365
Want full access to the ultimate Microsoft 365 deployment & security cheatsheet? Purchase our complete Golden Tenant now to get detailed instructions, in-depth explanations, and even personalized Microsoft consulting. Have peace of mind with the security of your Microsoft suite by using our CIS-compliant SOPs.
