SECURITY BULLETIN: Microsoft to Start Enforcing Multifactor Authentication

February 06, 2024 | Posted in:

Security Bulletins & Alerts

Beginning this month, February 2024, Microsoft will start enforcing certain Conditional Access policies automatically for all Microsoft 365 and Office 365 customers. More details are provided below.

Systems Engineering has been promoting the adoption of Multi-Factor Authentication (MFA) and conditional access for some time. Therefore, we expect the impact of this change to be limited. As a managed service client of Systems Engineering, you should contact us if you start having any issues accessing your Office 365 applications.  

Microsoft is introducing these Conditional Access policies in Microsoft Entra ID (formerly Azure AD) to help customers be automatically secured by streamlining identity protection. These policies are based on Microsoft’s deep knowledge of the current cyberthreat landscape and will be adapted over time to keep the security bar high. 

What is Conditional Access? 

In simple terms, Entra ID Conditional Access is a way of making sure that only the right people can access your online resources, such as email, documents, or apps. It does this by checking various factors about the person who is trying to sign in, such as who they are, what device they are using, where they are, and how risky their behavior is. Based on these factors, Entra ID Conditional Access can either allow, block, or challenge the person to prove their identity with something like a code sent to their phone or approval from another app. This way, you can protect your data and accounts from hackers, malware, or phishing attacks. Note that the level of Entra ID licensing, P1 or P2, will determine the breadth of protections available. 

These new automatic Conditional Access policies are designed to provide clear, self-deploying guidance for customers who need more control than security defaults, which are on-by-default MFA policies for new and existing tenants. Customers can view, customize, or disable the automatic policies, or clone them and make their own changes. 

Microsoft Automatically Enforced Policies

The three automatic policies that will be rolled out are related to MFA, which is Microsoft's top recommendation for improving identity security. The policies are:

  • Require multifactor authentication for all users accessing their organization's admin portal(s).
    • This policy impacts any admin user who has not set up MFA for their admin account. 
  • Require MFA for all user access already set up within the MFA Per-User portal.
    • This policy impacts all users for Clients with Entra ID P1 (formerly Azure AD P1) licensing who have deployed the older "Per-User" MFA, which required manual addition of new users.
  • Require additional challenges beyond MFA for suspect or login attempts identified as high-risk by Microsoft.
    • This policy impacts users with Entra ID P2 (formerly Azure AD P2). Most SE clients with P2 licensing have the required Conditional Access policies and should not be impacted by this. 

Microsoft will begin a gradual rollout of these policies to all eligible tenants starting this month. Any customers who have already taken the steps to set up Conditional Access policies for MFA within their environments should not be affected by this change. Clients with our Cloud Security service will be aware of the benefits of Conditional Access and have the option to proactively adopt. 

Microsoft's goal is to eventually combine machine learning-based policy insights and recommendations with automated policy rollout to strengthen customers' security posture on their behalf with the right controls. Microsoft will also keep improving its policies over time as the cyberthreat landscape evolves. 

Please contact us at info@systemsengineering.com with any questions. Clients, please reach out to your Account Manager.