User-based MFA vs. Conditional Access MFA

Monday, October 1, 2018
Thank you to everyone who attended my two sessions, "How to add MFA to your Exchange Online/on-premises mailboxes in 20 minutes or less" at Microsoft Ignite 2018 in Orlando! The first session was recorded and is available on YouTube. I wanted to post a follow-up article to those presentations.

There are two ways to configure users for multi-factor authentication (MFA) in Azure Active Directory -- user-based MFA and using conditional access. In my demos I used user-based in the interest of time, but most customers will usually use conditional access in production.

When you configure a user for user-based MFA, users are always prompted for MFA whenever they access a cloud resource, such as Exchange Online, SharePoint, Teams, etc. It's either on or off. You can configure a user for user-based MFA from the Azure AD Portal. Click Multi-Factor Authentication at the top of the Users blade.


This will open a new tab for the user-based MFA configuration page.


From here you can enable users for MFA. As mentioned above, this will configure the user for MFA every time they access a cloud resource. It also will break access for any apps or protocols that don't support MFA, such as ActiveSync.

A better option is to use conditional access. Users will be prompted for MFA when the conditional access policy applies to them. Users do not (and should not) be configured for user-based MFA for conditional access (CA) policies to work. If user-based MFA is enabled, it will override the CA policies for that user.

You configure CA rules from from the Conditional Access blade in the AAD portal.


Configure the Assignments for the CA policy (who and which apps get it) and configure the Access Controls to Grant access and Require multi-factor authentication.


MFA will now happen whenever the CA policy is triggered. For further information please see the article, "Quickstart: Require MFA for specific apps with Azure Active Directory conditional access".

Note that there are two places to configure trusted networks and IP addresses, where MFA will not be used - one for user-based MFA and another for conditional access. These two settings are unique for each configuration and do not affect each other. You configure can configure both CA named locations and user-based MFA trusted IPs in the new Conditional access > Named locations blade.