Conditional access with Multifactor authentication (MFA)
Microsoft Entra Conditional Access brings signals together, to make decisions, and enforce security policies. Multifactor authentication (MFA) protects customers identity by prompting them for a second verification method. In this demo a Conditional Access policy that's targeted to all users when the sign-in risk level is medium or high, prompts for MFA.
Prerequisites
Before you start make sure you have configured the following:Start by creating a Conditional Access policy to secure the application. Sign in to the Microsoft Entra admin center and browse to Protection > Conditional Access. Then, select New policy.
Give your policy a Name, for example sign-in risk.
Under Assignments, select the link under Users. Then, on the Include tab, select All users. On the Exclude tab, you can select users and groups for your organization's emergency access or break-glass accounts.
Under assignments, select Target resources. Then, On the Include tab, choose the Select apps option and click on the Select button. Find your app, select it, and then choose Select.
Select the link under the Conditions and select the link under the Sign-in risk. Then, for the Configure select Yes and select the High and Medium checkboxes.
Under Access controls > Grant, select Grant access. Then select Require multifactor authentication. With this grant type, users must complete additional security requirements like email, phone call, or text message.
Confirm your settings and set Enable policy to On. Select Create to create your policy.
Well done!
You created a Conditional access policy that requires users to complete MFA if their sign-in is considered risky. To check the user experience, sign-in to your application with Tor Browse.
Create conditional access policy
The following example creates a conditional access policy. This policy targets risk sign-ins for all users (excludes tenant global administrator). In the JSON below, replace the {App-ID} with your web or mobile application (App ID, not object ID). Note, you can add more applications.
POST https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies
Connect-MgGraph -Scopes "Policy.ReadWrite.ConditionalAccess"
{
"templateId": null,
"displayName": "Woodgrove demo - sign in risk",
"state": "disabled",
"sessionControls": null,
"conditions": {
"userRiskLevels": [],
"signInRiskLevels": [
"high",
"medium"
],
"clientAppTypes": [
"all"
],
"platforms": null,
"locations": null,
"times": null,
"deviceStates": null,
"devices": null,
"clientApplications": null,
"applications": {
"includeApplications": [
"{App-ID}"
],
"excludeApplications": [],
"includeUserActions": [],
"includeAuthenticationContextClassReferences": [],
"applicationFilter": null
},
"users": {
"includeUsers": [
"All"
],
"excludeUsers": [],
"includeGroups": [],
"excludeGroups": [],
"includeRoles": [],
"excludeRoles": [],
"includeGuestsOrExternalUsers": null,
"excludeGuestsOrExternalUsers": null
}
},
"grantControls": {
"operator": "OR",
"builtInControls": [
"mfa"
],
"customAuthenticationFactors": [],
"termsOfUse": [],
"authenticationStrength": null
}
}
New-MgBetaIdentityConditionalAccessPolicy -BodyParameter $params
PowerShell script
function Add-ConditionalAccessPolicy { param ( $PolicyName, $AppId ) # Define the conditional access policy $params = @{ templateId = $undefinedVariable displayName = $PolicyName state = "enabled" sessionControls = $undefinedVariable conditions = @{ userRiskLevels = @() signInRiskLevels = @( "high" "medium" ) clientAppTypes = @( "all" ) platforms = $undefinedVariable locations = $undefinedVariable times = $undefinedVariable deviceStates = $undefinedVariable devices = $undefinedVariable clientApplications = $undefinedVariable applications = @{ includeApplications = @( $AppId ) excludeApplications = @() includeUserActions = @() includeAuthenticationContextClassReferences = @() applicationFilter = $undefinedVariable } users = @{ includeUsers = @( "All" ) excludeUsers = @() includeGroups = @() excludeGroups = @() includeRoles = @() excludeRoles = @() includeGuestsOrExternalUsers = $undefinedVariable excludeGuestsOrExternalUsers = $undefinedVariable } } grantControls = @{ operator = "OR" builtInControls = @( "mfa" ) customAuthenticationFactors = @() termsOfUse = @() authenticationStrength = $undefinedVariable } } # Try to find the policy by name $ca = Get-MgBetaIdentityConditionalAccessPolicy -Filter "displayName eq '$PolicyName'" # Create or update the conditional access policy if ($null -ne $ca ) { # Check the existence of multiple policies with the same name. if ($ca.Count -gt 1 ) { $policyCount = $ca.Count Write-Error -Message "The operation could not be completed because $policyCount '$PolicyName' policies found in the directory." return } Write-Host "Updating policy " $ca.Id Update-MgBetaIdentityConditionalAccessPolicy -ConditionalAccessPolicyId $ca.Id -BodyParameter $params Write-Host "The conditional access policy has been successfully update" } else { Write-Host "Creating new policy" New-MgBetaIdentityConditionalAccessPolicy -BodyParameter $params | Format-List Write-Host "The conditional access policy has been successfully created" } } # Connect to Microsoft Entra tenant with the required scope Connect-MgGraph -Scopes "Policy.ReadWrite.ConditionalAccess" # Run the script Add-ConditionalAccessPolicy -PolicyName "Woodgrove demo - sign in risk" -AppId {App-ID}
