A company with 500 users uses Microsoft 365 E3 licenses. They want to ensure that all users have multi-factor authentication (MFA) enforced. Currently, 80% of users have MFA enabled through the legacy per-user MFA setting. The security team wants to use Conditional Access policies instead. You need to migrate from per-user MFA to Conditional Access with no disruption to users. What should you do?
Trap 1: Create a Conditional Access policy requiring MFA for all cloud…
Including break-glass accounts in the policy could lock out administrators if the policy misconfigures.
Trap 2: Create a Conditional Access policy requiring MFA for all users only…
This does not enforce MFA for internal access, which may not meet security requirements.
Trap 3: Disable per-user MFA for all users, then create a Conditional…
This would leave users without MFA during the gap between disabling per-user MFA and enabling the policy, causing disruption.
- A
Create a Conditional Access policy requiring MFA for all cloud apps, including break-glass accounts. Then disable per-user MFA.
Why wrong: Including break-glass accounts in the policy could lock out administrators if the policy misconfigures.
- B
Create a Conditional Access policy requiring MFA for all users only when accessing from outside the corporate network.
Why wrong: This does not enforce MFA for internal access, which may not meet security requirements.
- C
Create a Conditional Access policy requiring MFA for all users, excluding break-glass accounts. Disable per-user MFA for all users.
This ensures MFA is always enforced and provides emergency access via break-glass accounts.
- D
Disable per-user MFA for all users, then create a Conditional Access policy requiring MFA for all cloud apps.
Why wrong: This would leave users without MFA during the gap between disabling per-user MFA and enabling the policy, causing disruption.