Enforced means the user has completed the MFA registration. Enabled means they have not and have 14 days by default or will be forced. I’d you don’t want MFA you simply don’t click enable MFA. You should never click enforce unless they have previously registered according to MS. Good video
@networkn
4 ай бұрын
Enjoyed this. What is frustrating is that some parts of 365 can show MFA not configured, but it IS configured, under Conditional Access.
@mattsnider5704
3 күн бұрын
As usual, a wonderfully precise, straight to the point video. Thank you.
@GoreGamer
9 ай бұрын
You and Andy are my Hero's!!!! This video is absolutely amazing, and I'm actively implementing the strategies outlined here. However, I'm facing a challenge in my environment. Somehow, the 'Verify by Phone' feature got activated for my users. We're planning a full rollout in the 2nd or 3rd week of January, and I need this phone verification feature turned off temporarily until we complete our user migration. My plan is to enable all multi-factor authentication (MFA) and phone verification after 90+ days post-migration. Any advice on how to manage this would be greatly appreciated!
@bearded365guy
9 ай бұрын
Thanks! Can you use an MFA campaign?
@SilesianWarrior
6 ай бұрын
I've enabled MFA for half my users using per user method. If i was to enable it now for everyone, via defaults, will the previous, already enrolled users be affected as well? I'd love to get 50% less phone calls about forgotten passwords during deployment.
@davidadams421
5 ай бұрын
If MFA is already setup for a user then, in theory, they shouldn't be asked to set it up again when security defaults is enabled, however, Microsoft does actually recommend that all exiting tokens are deleted and all users are set to re-register MFA when enabling security defaults (they recommend doing this via powershell). Google 'Security defaults in Microsoft Entra ID' for further info.
@davidadams421
5 ай бұрын
If MFA is already setup for a user then, in theory, they shouldn't be asked to set it up again when security defaults is enabled, however, Microsoft does actually recommend that all exiting tokens are deleted and all users are required re-register MFA when enabling security defaults. Google 'Security defaults in Microsoft Entra ID' for further info.
@SeiferAlmasy21
9 ай бұрын
Per User is deprecated..
@hunterx1191
6 ай бұрын
It's not though.
@davidadams421
5 ай бұрын
Security Defaults mandates that normal users must *setup* MFA (within 14 days) but *does not* mandate its use, except when the system determines the sign-in as 'risky' e.g. last sign-in was from UK, then suddenly the next is from Africa, or if the user is resetting their own password. Security Defaults mandates MFA registration *and use* for all administrative roles e.g. Global Admin, User Admin etc. Google 'Security defaults in Microsoft Entra ID' for further info. I think this is a nice balance between security and user convenience, imho.
@theoyiorkas
7 ай бұрын
If only the administrator has the Premium license and has set Conditional Access, then the regular users who have Basic or Standard license, what policy do they follow?
Пікірлер: 12