Authentication & MFAConfiguring Multi-Factor Authentication

Configuring Multi-Factor Authentication

30 mins

Understanding the Concept

Multi-Factor Authentication (MFA) requires users to provide two or more verification factors to access resources. In Microsoft Entra ID, MFA can be enforced through security defaults (basic), Conditional Access policies (recommended), or per-user MFA settings (legacy).

Conditional Access-based MFA is the recommended approach as it provides granular control. You can require MFA for specific applications, user groups, risk levels, locations, or device states. This avoids the all-or-nothing approach of security defaults.

The MFA registration experience is managed through the combined registration flow, where users register for both MFA and SSPR simultaneously. Administrators can use the Registration Campaign feature to nudge users to set up the Authenticator app.

Key Points

  • Security Defaults: Free, enables MFA for all users (basic enforcement)
  • Conditional Access MFA: Granular policies based on conditions (requires P1)
  • Per-user MFA: Legacy method, avoid for new deployments
  • Combined registration: Users register MFA and SSPR in one flow
  • MFA fraud alerts: Users can report suspicious MFA prompts

MFA Enforcement Flow

Step 1

User Signs In

User provides primary credentials (username/password)

Step 2

Policy Evaluation

Conditional Access evaluates if MFA is required

Step 3

MFA Challenge

User prompted for second factor (app, SMS, call)

Step 4

Verification

Second factor validated by Entra ID

Step 5

Access Granted

Token issued with MFA claim, access permitted

Why This Matters in Real Organizations

MFA is the single most effective security control against identity attacks. Without it, a compromised password gives an attacker full access. With Conditional Access-based MFA, organizations can balance security and user experience by requiring MFA only when the risk warrants it.

Common Mistakes to Avoid

Using per-user MFA instead of Conditional Access policies
Not providing fallback authentication methods if primary method is unavailable
Enabling MFA without user communication and training on registration
Not excluding emergency access (break-glass) accounts from MFA policies

Interview Tips

  • Explain why Conditional Access MFA is preferred over security defaults and per-user MFA
  • Discuss the combined registration experience
  • Mention break-glass accounts and why they need MFA exceptions

Exam Tips (SC-300)

  • Know the three MFA enforcement methods and which is recommended
  • Understand MFA registration and the combined registration flow
  • Know about break-glass accounts and emergency access

Course Complete!

You've finished all lessons

Previous|Next|HHome