In Azure Active Directory, organizations should secure their identities with some strict security which will make sure they are not going to compromise. For this purpose, Microsoft introduced Multi-factor Authentication (MFA) which enables a second-layer authentication to complete the login.
But there are two ways how an IT admin can enable MFA for users, Per-User and Conditional Access. Lets discuss what differences these both have:
This type of MFA is applied every time when a user accesses some cloud application like Exchange Online, SharePoint Online or Teams etc. The IT admins or System admins can either go to Office 365 Admin Center > Active Users and click Multi-factor authentication which will take you to another window for MFA where you can search for single or multiple users and click “Enable” or “Enforce” to turn MFA on OR you can visit Azure Active Directory > Users and then click Multi-factor authentication to do the same.
Another way to enable MFA is with some conditions. Whenever a condition fulfills, that user will be granted MFA and will be asked to enter the second way of authentication i.e. a code via Text Message, call, or just a push notification. The conditions which could be selected for granting MFA can be Locations, Sign-in risk, Device Platform and Client Apps.
Administrators can use Report-Only mode feature in CA to determine the impact on users before applying the CA policies. In this mode, policies are only evaluated not enforced. Similar to this, we have What-If tool. This tool will ask for a scenario and generated a report of its impact if applied later on.
I highly recommend administrators to use these Conditional Access (CA) evaluation tools to satisfy themselves about the impact to avoid any disruption in production environment.
Thank you for reading.
Do subscribe to my YouTube channel here to learn about other Microsoft solutions.