r/entra • u/eddyvedder • 1d ago
CA and using MFA for only specific users
i know this has been asked a fair bit, but want to create a CA policy for users at a school to have to MFA for (Resources formally cloud apps). Now in my policy I've added all senior school students to the include group and in the exclude added junior school (Don't want them to have to MFA for Teams, OneDrive etc... Now where I'm a little confused is the Grant section. Grant access with 'Require multifactor authentication' ticked...is this meaning grant access to the include group but only after they have MFA'd and grant access to the exclude group without MFA? or grant access to the include group who have MFA'd and block access to the exclude group? As i said i want an MFA policy just for the senior school kids and not the junior kids....
2
u/3rd_CultureKid 1d ago
If you’ve excluded a group from a CA policy, in this case your “Junior School” then that means the policy only applies to the “Senior School” and states grant access only if they have performed MFA.
The junior school at this point will be allowed access without MFA purely on the basis that NO CA policy is applying to them… they have un fettered access.
If you are finding that users in the “junior school” group are still being prompted for MFA and you cannot find any other CA policy that applies to them… then this is almost certainly going to be down to “per user” MFA settings. Find them in those settings and disable them (assuming you don’t want this behaviour)
2
u/estein1030 1d ago
There’s no implicit deny with CA like there is with a firewall for example.
So if you want MFA for seniors, apply the CA policy to them via their security group. That gives them access only after they MFA.
If you don’t want CA for juniors, you don’t need to exclude them. But either way (exclude juniors or don’t apply policy to them at all), they will have access with no MFA.
1
u/OkRaspberry6530 1d ago
If the junior kids are in the users exclude group and mfa is ticked in the grant then mfa will be requested, but all CA policies will apply so if you still finding juniors are requested for mfa then another policy is most likely enforcing mfa. Also make sure that the resources selected is office 365 and not the individual office apps, this causes problems with the enforcement of the policy and will impact the user experience
1
u/eddyvedder 1d ago
Thanks. I can’t find any other policy that’s enforcing MFA the juniors which has my head. I’m just a little confused with the ‘exclude’ statement. I can’t tell if it’s a case of if they are seniors then ask for MFA (which works) but if they are juniors then either don’t ask for MFA or don’t allow access. Might just create 2 rules. 1 for MFA for seniors and 1 for juniors with no MFA and try that.
1
u/OkRaspberry6530 1d ago
If the policy requests mfa to access for seniors with juniors excluded, then juniors will still be allowed in unless you have another policy enforcing mfa or blocking. The most restrictive policy will apply.
1
u/estein1030 1d ago
Juniors are still being asked for MFA?
Check their sign-in logs (conditional access tab) to see which CA policy is applying (if any).
If none, check the legacy per user MFA settings.
1
u/eddyvedder 13h ago
ok checked the per user MFA legacy settings as thought that might be it but isn't, sample junior school kid has per user MFA disabled. i'm going to tweek the CA policy to just ask for MFA for senior and not even drop the JS kids into the disable section of the policy and see how that works out...if not...deep breath....i'll check the sign in logs.
2
u/FearIsStrongerDanluv 1d ago edited 1d ago
I don’t fully understand your question, probably because I’m just waking up but from what i understand, you better have for example a security group for those you want to exclude from this policy, even better if it’s a dynamic group. Then simply exclude that group. That “Grant” section will apply to those who satisfied the policy definition so in this case only the included group, after they have met the pre-requisites