CA-01: Creating a Baseline MFA Policy for All Users

Overview

This guide walks you through creating a Conditional Access policy that requires Multi-Factor Authentication (MFA) for all users accessing cloud applications. This is the foundational security control that blocks over 99.9% of account compromise attacks.

Control ID: CA-01 Category: Conditional Access Severity: Critical License Required: Microsoft Entra ID P1 (included in Microsoft 365 Business Premium, E3, E5)

Why This Matters

Without MFA enforcement via Conditional Access, attackers who obtain user credentials through phishing, password spraying, or credential stuffing can immediately access your organization's data. A Conditional Access MFA policy provides:

  • Granular control over who requires MFA and when
  • Proper exclusions for emergency access accounts (break-glass)
  • Audit trail of policy enforcement and authentication events
  • Flexibility to adjust requirements without affecting all users

Prerequisites

Required Roles

You need one of the following Entra ID roles:

  • Conditional Access Administrator (recommended - least privilege)
  • Security Administrator
  • Global Administrator

Required Licenses

  • Microsoft Entra ID P1 or higher for each user in scope
  • Included in: Microsoft 365 Business Premium, E3, E5, or standalone Entra ID P1/P2

Pre-Configuration Requirements

Before creating this policy, ensure:

  1. Emergency access accounts exist - At least 2 break-glass accounts are created (see PA-03 guide)
  2. Users have registered MFA methods - Run an MFA registration campaign if registration is low
  3. A pilot group is ready - Recommended for initial testing before full rollout

Time Estimate

TaskDuration
Policy creation10-15 minutes
Pilot testing1-2 days
Full rollout5-10 minutes
Total2-3 days including testing

Step-by-Step Instructions

Step 1: Navigate to Conditional Access

  1. Sign in to the Microsoft Entra admin center
  2. In the left navigation, expand Protection
  3. Select Conditional Access
  4. Click Policies in the submenu

Step 2: Create a New Policy

  1. Click + New policy at the top of the policies list
  2. Enter a descriptive name: Require MFA for All Users

Step 3: Configure Users and Groups

  1. Under Assignments, click Users
  2. Select All users under Include
  3. Under Exclude, click Users and groups
  4. Add your emergency access accounts (e.g., BreakGlass1@contoso.onmicrosoft.com, BreakGlass2@contoso.onmicrosoft.com)

Important: Always exclude emergency access accounts. Without this exclusion, a misconfiguration could lock out your entire tenant.

Step 4: Configure Target Resources

  1. Under Target resources, click Cloud apps
  2. Select All cloud apps under Include
  3. Leave Exclude empty (or exclude specific apps if you have documented exceptions)

Step 5: Configure Conditions (Optional)

For the baseline MFA policy, no conditions are typically configured. However, you may consider:

  • Client apps: Leave as default (applies to all client apps including browser and mobile)
  • Device platforms: Leave unconfigured for universal enforcement

Step 6: Configure Access Controls

  1. Under Access controls, click Grant
  2. Select Grant access
  3. Check Require multifactor authentication
  4. Click Select

Step 7: Configure Session Controls (Optional)

For a baseline policy, session controls are typically not configured. See CA-07 and CA-11 for session-specific controls.

Step 8: Enable the Policy

Recommended approach - Start with Report-only:

  1. Under Enable policy, select Report-only
  2. Click Create
  3. Monitor the Sign-in logs for 1-2 days to validate impact
  4. Once validated, edit the policy and change to On

Direct enablement (if confident):

  1. Under Enable policy, select On
  2. Click Create

Verification Checklist

After enabling the policy, verify successful implementation:

Immediate Checks

  • Policy appears in the Conditional Access policies list with status "On"
  • Emergency access accounts are listed in the exclusions
  • No syntax errors or warnings appear on the policy

Sign-in Log Validation

  1. Navigate to Entra admin center > Monitoring > Sign-in logs
  2. Filter for recent sign-ins
  3. Click on a sign-in and check the Conditional Access tab
  4. Verify your policy appears with result "Success" or "Failure" (not "Not applied")

Test User Validation

  1. Sign out and sign in with a test user account (not an emergency access account)
  2. Verify MFA prompt appears
  3. Complete MFA successfully
  4. Confirm access to applications is granted

Emergency Account Validation

  1. Sign in with one emergency access account
  2. Verify MFA is NOT prompted (policy exclusion working)
  3. Document this test for audit purposes

Troubleshooting

Policy Not Applied

Symptom: Users are not prompted for MFA despite policy being enabled.

Solutions:

  1. Verify the policy is set to "On" (not "Report-only")
  2. Check if users have another policy granting access without MFA
  3. Ensure users are not excluded via group membership
  4. Confirm the user's license includes Conditional Access

Users Locked Out

Symptom: Users cannot authenticate and receive an error.

Solutions:

  1. Check if users have registered MFA methods (Entra admin center > Users > Authentication methods)
  2. Verify the user is not blocked or disabled
  3. Use the Sign-in diagnostic tool in Entra admin center
  4. Temporarily disable the policy while investigating

Emergency Account Prompted for MFA

Symptom: Break-glass accounts are being asked for MFA.

Solutions:

  1. Edit the policy and verify the emergency accounts are in the Exclude list
  2. Check for typos in the excluded account UPNs
  3. Ensure no other policy is requiring MFA for these accounts
  4. Use the "What If" tool to validate exclusions

What If Tool

Use the "What If" tool to troubleshoot before making changes:

  1. Navigate to Conditional Access > Policies
  2. Click What If at the top
  3. Select a user and resource
  4. Review which policies would apply and their outcomes

Policy Configuration Summary

SettingValue
Policy NameRequire MFA for All Users
Users - IncludeAll users
Users - ExcludeEmergency access accounts
Cloud AppsAll cloud apps
ConditionsNone
GrantRequire multifactor authentication
SessionNone
Enable PolicyOn

Related Controls

  • PA-03: Configure Emergency Access Accounts (prerequisite)
  • CA-02: Require MFA for All Administrators (additional protection)
  • ID-01: User MFA Registration (ensure users can complete MFA)
  • ID-02: Block Legacy Authentication (prevent MFA bypass)

Additional Resources