Azure Multifactor Authentication MFA and Conditional Access

Sharing is caring!

Two-step verification is important for modern workplaces especially when employees are working remotely more and more, organisation boundaries are limitless, Data can be accessed from anywhere and on any device.

Microsoft Multi-Factor Authentication offers comes in following flavors.

  • Azure Active Directory Premium licenses – Full featured use of Azure Multi-Factor Authentication Service (Cloud) or Azure Multi-Factor Authentication Server (On-premises).
  • Multi-Factor Authentication for Office 365 – A subset of Azure Multi-Factor Authentication capabilities are available as a part of your subscription.
  • Azure Active Directory Global Administrators – A subset of Azure Multi-Factor Authentication capabilities are available as a means to protect global administrator accounts.

Features Comparisons

The following table provides a list of the features that are available in the various versions of Azure Multi-Factor Authentication.

Setting up Multi-Factor Authentication

First thing first, Buy and Assign a licence to your users. There are two ways to buy MFA service from Microsoft

  • Buy licenses for each user (Either Azure MFA, Azure AD Premium, or Enterprise Mobility + Security)
  • Create a Multi-Factor Auth Provider and pay per-user or per-authentication

There are two ways to configure users for multi-factor authentication (MFA) in Azure Active Directory — user-based MFA and using Conditional Access.

  • User-based MFA, users are always prompted for MFA whenever they access a cloud resource, such as Exchange Online, SharePoint, Teams, etc. It’s either on or off. 
  • Conditional Access MFA, Users will be prompted for MFA when the conditional access policy applies to them on the basis of location etc.


  • It’s important to understand that you don’t need to enable MFA in Azure AD to enable Conditional Access MFA capability, Actually, you should not configure as it will override the conditional access policies.
  • There are two places to configure trusted networks and IP addresses, First one is for user-based MFA and second is for conditional access. These two settings are unique for each configuration and do not affect each other.
  • A user logging in from an unmanaged device should be prompted for multi-factor authentication , A user logging in from a managed device should not be prompted for multi-factor authentication