We’re all moving into the cloud. As our clients increasingly rely on Microsoft 365, multifactor authentication is of paramount importance in protecting user accounts – Microsoft even says it’s 99.9% effective. There are three ways to implement MFA in Microsoft land: Security Defaults (which we won’t address here as it’s not flexible enough for us), Legacy MFA, and Conditional Access. While both Legacy MFA and Conditional Access aim to bolster protection, they differ significantly in their scope, flexibility, and application.
Legacy Per User Multifactor Authentication
Legacy Per User Multifactor Authentication, as the name suggests, focuses on individual user accounts. This method involves ‘turning on’ MFA for users one at a time. While Legacy Per User Multifactor Authentication adds an extra layer of security, it has limitations. It does not apply to all users universally, and it lacks the ability to differentiate between user roles or the context of access attempts. This can lead to configuration drift, where our intended design (everyone having MFA) gradually drifts away from that idea.
Conditional Access, on the other hand, introduces a more sophisticated and context-aware approach to authentication. This method has several advantages; it can evaluate a range of factors before granting access to a user. These factors can include user location, device health, network status, time of access, and more. By considering these contextual elements, organizations can dynamically adjust the level of authentication required based on the perceived risk of the access attempt.
Conditional Access is also group based, allowing us to move to an ‘opt out’ approach where everyone is subject to the ‘condition’, (in this case, multifactor) and they must be intentionally excluded. This granular approach enhances both security and user experience. For instance, we can easily report who isn’t registered for MFA, correct the situation, and move forward quickly without further drift.
The primary distinction between Legacy Per User Multifactor Authentication and Conditional Access lies in their adaptability. Legacy methods treat all users uniquely, while Conditional Access tailors security measures to the specific circumstances of each access request and can be applied universally. This results in a more seamless experience for users, reducing friction while maintaining a high level of protection against potential threats.
Organizations should consider a move to Conditional Access. It does have a licensing requirement, and that requirement is met easily by Microsoft’s most popular Small to Medium Business SKU – Microsoft 365 Business Premium. A properly configured Conditional Access policy is half of the strongest defense we have today against account compromise. We recommend evaluating this solution for appropriateness in all Microsoft 365 environments.