This chapter covers Multifactor Authentication (MFA) and Conditional Access (CA) in Microsoft 365, two critical security capabilities that protect user identities and control access to resources. For the MS-900 exam, this topic area appears in approximately 15–20% of questions, primarily in Domain 3: Security & Compliance. You will need to understand the purpose, components, and configuration of MFA and CA, as well as common deployment scenarios and licensing requirements.
Jump to a section
Imagine a secure office building with a single public entrance. The building has a reception desk (Azure AD) that checks IDs. Multifactor Authentication (MFA) is like requiring both a keycard (something you have) and a PIN (something you know) to open the door. Even if someone steals your keycard, they cannot enter without the PIN. Conditional Access (CA) is like a security guard who checks additional conditions before allowing entry: only employees from the Sales team (group membership) are allowed on the top floor (specific app), only during business hours (time condition), and only if they are connecting from the corporate network (location condition). The guard also checks if the visitor's device is managed and compliant (device state). If any condition is not met, the guard denies access or requires another verification step, like a retina scan (step-up authentication). MFA is a tool; CA is the policy engine that decides when to use that tool and what other checks to apply.
What are MFA and Conditional Access?
Multifactor Authentication (MFA) is a security mechanism that requires users to present two or more verification factors to gain access to a resource. The three categories of factors are: - Something you know (password, PIN) - Something you have (phone, hardware token, authenticator app) - Something you are (biometrics like fingerprint or facial recognition)
MFA significantly reduces the risk of account compromise because an attacker must obtain multiple factors, not just a password.
Conditional Access (CA) is a policy-based engine in Azure Active Directory (Azure AD) that evaluates signals (user, device, location, app, risk) and enforces access decisions. CA policies are "if-then" statements: if a condition is met, then apply an access control (grant access, require MFA, block access). CA allows granular control over who can access what, under what conditions.
How MFA Works Internally
When a user attempts to sign in, Azure AD checks whether MFA is required (either by a per-user setting or a CA policy). If MFA is needed, the authentication flow proceeds as follows: 1. User enters password. Azure AD validates it against the user's stored hash. 2. Azure AD checks the user's MFA state (enabled, enforced, or disabled). 3. If MFA is required, Azure AD sends a challenge to the user's registered verification method (phone call, SMS, push notification, or OATH token). 4. The user completes the second factor. For example, with Microsoft Authenticator, the user receives a push notification, taps "Approve," and enters a number that appears on the sign-in screen. 5. Azure AD verifies the response and issues an access token if successful.
Default MFA verification methods include:
Microsoft Authenticator app (push notification or OTP)
Phone call
SMS text message
OATH hardware tokens
Windows Hello for Business (biometric or PIN)
Per-user MFA is a legacy configuration where MFA is enabled or enforced for each user individually. Microsoft recommends using Conditional Access policies to require MFA instead, as it offers more granularity and integration with risk-based signals.
Conditional Access Components
A Conditional Access policy consists of: - Assignments: Who (users/groups), What (cloud apps), Where (locations, IP ranges), When (time), and What device (platform, state). - Access controls: Grant (require MFA, require compliant device, require hybrid Azure AD joined device, require approved client app, require app protection policy) or Block. - Session controls: Enforce app restrictions, use app control for continuous access evaluation.
How Conditional Access Works
When a user attempts to access a resource, Azure AD evaluates all applicable CA policies. The evaluation process: 1. Collect signals: user identity, device state, location (IP address), application being accessed, risk level (if Azure AD Identity Protection is enabled). 2. Evaluate policies: Each policy's conditions are checked. If all conditions are met, the policy's access controls are applied. 3. Enforce controls: If multiple policies apply, the most restrictive combination is enforced. For example, if one policy requires MFA and another requires a compliant device, the user must meet both. 4. Result: Access is granted, blocked, or requires additional verification.
Default Values and Timers
Session sign-in frequency: Default is 90 days for modern authentication clients. Can be configured per CA policy.
Persistent browser session: Default allows users to stay signed in for up to 24 hours. Can be set to "Never" or a custom duration.
MFA remember: Users can mark a device as "trusted" for up to 60 days (default) to bypass MFA prompts. Configurable in per-user MFA settings.
Configuration and Verification
To configure a Conditional Access policy in the Azure portal: 1. Navigate to Azure Active Directory > Security > Conditional Access. 2. Click "New policy." 3. Assign a name, select users/groups, cloud apps, conditions (device platforms, locations, client apps, sign-in risk, etc.). 4. Under Access controls, choose Grant or Block, and configure any required grant controls. 5. Set policy to "Report-only" initially to test impact, then "On" for enforcement.
To verify MFA registration status via PowerShell:
Get-MsolUser -UserPrincipalName user@domain.com | Select-Object StrongAuthenticationRequirements, StrongAuthenticationMethodsTo check CA policy results:
Get-AzureADMSConditionalAccessPolicy | Format-ListInteraction with Related Technologies
Azure AD Identity Protection: Provides risk signals (sign-in risk, user risk) that CA policies can use to require MFA or block access automatically.
Microsoft Intune: Manages device compliance and app protection policies. CA can require a device to be compliant or managed by Intune.
Azure AD Privileged Identity Management (PIM): For privileged roles, CA can require MFA or approval for activation.
Continuous Access Evaluation (CAE): Works with CA to revoke tokens in real-time when user conditions change (e.g., password reset, device marked non-compliant).
Licensing Requirements
Azure AD Free: Supports per-user MFA (limited) and basic CA policies (e.g., block legacy auth).
Azure AD Premium P1: Full CA capabilities, including MFA policies, location-based access, device state.
Azure AD Premium P2: Includes Identity Protection for risk-based CA policies and PIM.
Microsoft 365 Business Premium: Includes Azure AD P1.
Microsoft 365 E5: Includes Azure AD P2.
Trap Patterns
Common exam traps:
Confusing per-user MFA with CA-based MFA: Per-user MFA is static; CA MFA is dynamic and can be scoped.
Thinking CA policies are evaluated in order of priority: Actually, all policies are evaluated together, and the most restrictive combination applies.
Assuming that blocking legacy authentication requires a separate feature: In fact, a CA policy can target "Exchange ActiveSync" and "Other clients" to block legacy auth.
Believing that MFA is only available with Premium licenses: Azure AD Free includes basic MFA per user, but CA policies need P1.
User attempts sign-in
The user enters their username and password on a sign-in page (e.g., portal.office.com). Azure AD receives the authentication request and validates the password against the stored hash. If the password is correct, Azure AD proceeds to evaluate whether MFA or CA policies apply. The user's device, IP address, and client app are captured as signals.
CA policy evaluation
Azure AD retrieves all Conditional Access policies assigned to the user and the target cloud app. It evaluates each policy's conditions: user/group membership, location (IP range or country), device platform (iOS, Android, Windows, macOS), client app (browser, mobile app, legacy client), sign-in risk (from Identity Protection), and application. Policies are evaluated in parallel; all conditions must be met for a policy to apply.
Access control enforcement
If one or more policies apply, Azure AD combines their grant controls. For example, if Policy A requires MFA and Policy B requires a compliant device, the user must satisfy both. If any policy has a Block control, access is denied regardless of other policies. The user is then prompted to complete the required actions, such as authenticating with MFA or enrolling a device in Intune.
MFA challenge
If MFA is required, Azure AD sends a challenge to the user's primary verification method (e.g., push notification to Microsoft Authenticator). The user must respond within 60 seconds (default timeout). Upon successful verification, Azure AD issues an access token. If the user fails or times out, sign-in is denied.
Token issuance and access
After all conditions are satisfied, Azure AD issues an access token with a default lifetime of 1 hour for modern apps. The token includes claims about the user, device, and authentication method. The application validates the token and grants access. Session controls, such as sign-in frequency, may require re-authentication after a configurable period (default 90 days).
Enterprise Scenario 1: Enforcing MFA for All Users with Location Exception
A multinational company with 10,000 employees wants to require MFA for all cloud app access, but exempt users connecting from the corporate headquarters (trusted IP range). The solution: Create a CA policy targeting all users and all cloud apps, with a condition to exclude the corporate IP range. For users outside the office, MFA is enforced. The policy is set to "Report-only" for two weeks to monitor impact, then enabled. Common issues: Users forget to register MFA methods; administrators must run a registration campaign using Azure AD Identity Protection's MFA registration policy. Performance: No noticeable latency; CA evaluation adds <100ms to sign-in.
Scenario 2: Blocking Legacy Authentication for High-Risk Apps
A healthcare organization must comply with HIPAA by blocking legacy authentication protocols (POP, IMAP, SMTP) that do not support MFA. They create a CA policy targeting all users and the Office 365 Exchange Online app, with a condition for client apps: select "Exchange ActiveSync" and "Other clients" (legacy). The access control is set to Block. This prevents any legacy protocol from accessing mailboxes. Misconfiguration: If the policy inadvertently blocks modern clients (e.g., Outlook for Windows uses modern auth), administrators must ensure the client apps condition excludes modern authentication clients. Common mistake: Forgetting to exclude service accounts that still rely on legacy protocols for on-premises integrations.
Scenario 3: Risk-Based Conditional Access with Identity Protection
A financial services firm uses Azure AD Premium P2 to implement risk-based CA. They configure a policy that requires MFA when sign-in risk is medium or higher, and blocks access when risk is high. Another policy requires a password change when user risk is high. This automates responses to compromised credentials. Scale: With 50,000 users, Identity Protection processes millions of sign-in events daily. Administrators must tune risk thresholds and review risky users weekly. Common failure: Overly aggressive policies cause false positives, locking out legitimate users. Mitigation: Use report-only mode initially and adjust thresholds.
What MS-900 Tests
Objective 3.3: "Describe the capabilities of Microsoft 365 security and compliance centers." Within this, MFA and Conditional Access are tested under security features. Specific focus areas:
Understanding MFA as a security baseline (not just an option).
Knowing the difference between per-user MFA and CA-based MFA.
Recognizing that CA policies can require MFA, block access, or require compliant devices.
Identifying licensing requirements: Azure AD P1 for full CA, P2 for risk-based.
Knowing that legacy authentication is a common attack vector and can be blocked via CA.
Common Wrong Answers
"MFA can be enforced only with Azure AD Premium P2." Wrong: MFA per user is available in Free; CA-based MFA needs P1, not P2.
"Conditional Access policies are evaluated in order of priority." Wrong: All applicable policies are evaluated together; the most restrictive grant controls combine.
"Blocking legacy authentication requires a separate feature like Azure AD Application Proxy." Wrong: A simple CA policy with client apps condition can block legacy protocols.
"CA policies can only be applied to users, not groups or apps." Wrong: Policies can target specific users/groups, cloud apps, and conditions.
Specific Exam Numbers
Default MFA remember duration: 60 days.
Default session sign-in frequency: 90 days.
CA policy states: Report-only, On, Off (disabled).
Grant controls: Require MFA, require compliant device, require hybrid Azure AD joined device, require approved client app, require app protection policy.
Conditions: user/group, cloud app, device platform, location, client app, sign-in risk, user risk.
Edge Cases
Guest users: CA policies can target external users; MFA may be required from their home tenant.
Break-glass accounts: Emergency admin accounts must be excluded from CA policies to avoid lockout.
Device compliance: Requires Intune; if not licensed, the "require compliant device" control is unavailable.
Eliminating Wrong Answers
When you see an answer claiming a feature requires a high license, verify against the actual feature set. If the answer mentions "priority" or "order" of CA policies, it is likely wrong. If it says legacy auth can only be blocked by disabling protocols at the server, it is wrong—CA can do it. Focus on the mechanism: CA is a policy engine, not a firewall.
MFA requires two or more factors: something you know, have, or are.
Conditional Access policies are if-then statements: if condition, then enforce control.
All applicable CA policies are evaluated together; the most restrictive grant controls apply.
Azure AD Free includes per-user MFA; Azure AD P1 is needed for CA-based MFA.
Legacy authentication can be blocked via a CA policy targeting 'Other clients'.
Default MFA remember duration is 60 days; session sign-in frequency default is 90 days.
Risk-based CA requires Azure AD P2 (Identity Protection).
Break-glass accounts should be excluded from CA policies to prevent lockout.
These come up on the exam all the time. Here's how to tell them apart.
Per-User MFA
Enabled or enforced per user account.
Static: same MFA requirement for all apps and sign-ins.
Limited to MFA only; no other access controls.
Configured via legacy MFA portal or user settings.
No integration with risk signals or device state.
Conditional Access MFA
Applied via policies that target users, groups, apps, and conditions.
Dynamic: MFA can be required only for specific scenarios (e.g., off-network, high-risk).
Supports multiple grant controls: MFA, compliant device, approved app, etc.
Configured in Azure AD Conditional Access blade.
Integrates with Identity Protection for risk-based MFA.
Mistake
MFA requires Azure AD Premium P1.
Correct
Per-user MFA is available in Azure AD Free. Conditional Access-based MFA requires Azure AD P1.
Mistake
Conditional Access policies are applied in a specific order and only the first matching policy is enforced.
Correct
All applicable policies are evaluated together, and the most restrictive combination of grant controls is enforced.
Mistake
Blocking legacy authentication requires disabling protocols in Exchange Online or using a separate security feature.
Correct
A Conditional Access policy can block legacy authentication by targeting 'Exchange ActiveSync' and 'Other clients' in the client apps condition.
Mistake
MFA can only be required for all users, not specific apps or conditions.
Correct
Conditional Access allows MFA to be required for specific cloud apps, locations, device states, or risk levels.
Mistake
Once MFA is set up, users will always be prompted for MFA on every sign-in.
Correct
MFA prompts can be remembered for up to 60 days (default) on trusted devices. Session sign-in frequency can also be configured to reduce prompts.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Per-user MFA is a legacy setting that enforces MFA for a user on every sign-in, regardless of context. Conditional Access MFA uses policies that can require MFA based on conditions like location, device, app, or risk. CA MFA is more flexible and is the recommended approach.
Yes. In a CA policy, under 'Assignments > Cloud apps or actions', you can select specific apps (e.g., Exchange Online, SharePoint). MFA will only be required when accessing those apps.
MFA remember (trusted device) defaults to 60 days. Session sign-in frequency for modern authentication clients defaults to 90 days. Both can be customized in CA policies.
Create a CA policy targeting all users and the cloud app you want to protect (e.g., Office 365 Exchange Online). Under 'Conditions > Client apps', select 'Exchange ActiveSync' and 'Other clients'. Set Access control to Block. This prevents any legacy protocol from accessing that app.
Risk-based CA (using sign-in risk and user risk) requires Azure AD Premium P2, which includes Identity Protection. Azure AD P1 supports location and device-based conditions but not risk.
Yes. In CA policy assignments, you can exclude specific users or groups. It is a best practice to exclude emergency break-glass accounts to avoid being locked out.
'Require MFA' forces the user to complete a second factor. 'Require compliant device' checks that the device is managed by Intune and meets compliance policies (e.g., encrypted, patched). Both can be used together in a single policy.
You've just covered MFA and Conditional Access in M365 — now see how well it sticks with free MS-900 practice questions. Full explanations included, no account needed.
Done with this chapter?