Merge pull request #79812 from MicrosoftGuyJFlo/CASupportability725253

PRMerger12 · web-flow · commit f816dedb6b31 · 2019-06-18T01:24:40.000+08:00
[Azure AD] Conditional Access - Supportability 735253
diff --git a/articles/active-directory/authentication/howto-mfa-userstates.md b/articles/active-directory/authentication/howto-mfa-userstates.md
@@ -20,7 +20,7 @@ ms.collection: M365-identity-device-management
 You can take one of two approaches for requiring two-step verification, both of which require using a global administrator account. The first option is to enable each user for Azure Multi-Factor Authentication (MFA). When users are enabled individually, they perform two-step verification each time they sign in (with some exceptions, such as when they sign in from trusted IP addresses or when the _remembered devices_ feature is turned on). The second option is to set up a Conditional Access policy that requires two-step verification under certain conditions.
 
 > [!TIP]
-> Choose one of these methods to require two-step verification, not both. Enabling a user for Azure Multi-Factor Authentication overrides any Conditional Access policies.
+> Enabling Azure Multi-Factor Authentication using Conditional Access policies is the recommended approach. Changing user states is no longer recommended unless your licenses do not include Conditional Access as it will require users to perform MFA every time they sign in.
 
 ## Choose how to enable
 
