So in the previously post I went through how to activate MFA for Administrator roles i a really simple and effective way.
In this post we will focus on activating MFA for all regular users. And first off all we need to evaluate who should be activated first or should we activate on all users at the same time and do a evaluation on service accounts! If we enable MFA on for example a serivce account used for scan to email on “multi functional printers” or on a mailbox account witch are used on a thirdparty ticketingsystem (POP/IMAP) we could break those service by just enabling MFA on all users.
My recomandation is when you are more then 30 users in your company you should select a few ambasadeurs who is getting the MFA activated first and can therefore be the power users who can help others with the registration if there is any hick-ups (should not be many).
And to activate MFA for end users I highly recomend to use Conditional Access for
- all users and exclude a AzureAD Group which contains a “Break the glass Admin” and other service accounts.
- All cloud apps (no exeptions)
- Grant Access – but require MFA
Easy like that! And It`s a realy quick solution for your company.
Drawback here is that you need “Azure AD Premium P1” licenses to use Conditional Access and a second drawback is that it`s not scored at the Microsoft Secure Score.