|
| 1 | +--- |
| 2 | +title: Azure Active Directory recommendation - Convert from per-user MFA to conditional access MFA in Azure AD | Microsoft Docs |
| 3 | +description: Learn why you should convert from per-user MFA to conditional access MFA in Azure AD |
| 4 | +services: active-directory |
| 5 | +documentationcenter: '' |
| 6 | +author: MarkusVi |
| 7 | +manager: karenhoran |
| 8 | +editor: '' |
| 9 | + |
| 10 | +ms.assetid: 9b88958d-94a2-4f4b-a18c-616f0617a24e |
| 11 | +ms.service: active-directory |
| 12 | +ms.topic: reference |
| 13 | +ms.tgt_pltfrm: na |
| 14 | +ms.workload: identity |
| 15 | +ms.subservice: report-monitor |
| 16 | +ms.date: 03/21/2022 |
| 17 | +ms.author: markvi |
| 18 | +ms.reviewer: hafowler |
| 19 | + |
| 20 | +ms.collection: M365-identity-device-management |
| 21 | +--- |
| 22 | + |
| 23 | +# Azure AD recommendation: Convert from per-user MFA to conditional access MFA |
| 24 | + |
| 25 | +[Azure AD recommendations](overview-recommendations.md) is a feature that provides you with personalized insights and actionable guidance to align your tenant with recommended best practices. |
| 26 | + |
| 27 | + |
| 28 | +This article covers the recommendation to convert from per-user MFA to conditional access MFA. |
| 29 | + |
| 30 | + |
| 31 | +## Description |
| 32 | + |
| 33 | +As an admin, you want to maintain security for my company’s resources, but you also want your employees to easily access resources as needed. |
| 34 | + |
| 35 | +Multi-factor authentication (MFA) enables you to enhance the security posture of your tenant. In your tenant, you can enable MFA on a per-user basis. In this scenario, your users perform MFA each time they sign in (with some exceptions, such as when they sign in from trusted IP addresses or when the remember MFA on trusted devices feature is turned on). |
| 36 | + |
| 37 | +While enabling MFA is a good practice, you can reduce the number of times your users are prompted for MFA by converting per-user MFA to MFA based on conditional access. |
| 38 | + |
| 39 | + |
| 40 | +## Logic |
| 41 | + |
| 42 | +This recommendation shows up, if: |
| 43 | + |
| 44 | +- You have per-user MFA configured for at least 5% of your users |
| 45 | +- Conditional access policies are active for more than 1% of your users (indicating familiarity with CA policies). |
| 46 | + |
| 47 | +## Value |
| 48 | + |
| 49 | +This recommendation improves your user's productivity and minimizes the sign-in time with fewer MFA prompts. Ensure that your most sensitive resources can have the tightest controls, while your least sensitive resources can be more freely accessible. |
| 50 | + |
| 51 | +## Action plan |
| 52 | + |
| 53 | +1. To get started, confirm that there's an existing conditional access policy with an MFA requirement. Ensure that you're covering all resources and users you would like to secure with MFA. Review your [conditional access policies](https://portal.azure.com/?Microsoft_AAD_IAM_enableAadvisorFeaturePreview=true&%3BMicrosoft_AAD_IAM_enableAadvisorFeature=true#blade/Microsoft_AAD_IAM/PoliciesTemplateBlade). |
| 54 | + |
| 55 | +2. To require MFA using a conditional access policy, follow the steps in [Secure user sign-in events with Azure AD Multi-Factor Authentication](../authentication/tutorial-enable-azure-mfa.md). |
| 56 | + |
| 57 | +3. Ensure that the per-user MFA configuration is turned off. |
| 58 | + |
| 59 | + |
| 60 | + |
| 61 | +## Next steps |
| 62 | + |
| 63 | +- [Tutorials for integrating SaaS applications with Azure Active Directory](../saas-apps/tutorial-list.md) |
| 64 | +- [Azure AD reports overview](overview-reports.md) |
0 commit comments