CA-01: Creating a Baseline MFA Policy for All Users
Overview
This guide walks you through creating a Conditional Access policy that requires Multi-Factor Authentication (MFA) for all users accessing cloud applications. This is the foundational security control that blocks over 99.9% of account compromise attacks.
Control ID: CA-01 Category: Conditional Access Severity: Critical License Required: Microsoft Entra ID P1 (included in Microsoft 365 Business Premium, E3, E5)
Why This Matters
Without MFA enforcement via Conditional Access, attackers who obtain user credentials through phishing, password spraying, or credential stuffing can immediately access your organization's data. A Conditional Access MFA policy provides:
- Granular control over who requires MFA and when
- Proper exclusions for emergency access accounts (break-glass)
- Audit trail of policy enforcement and authentication events
- Flexibility to adjust requirements without affecting all users
Prerequisites
Required Roles
You need one of the following Entra ID roles:
- Conditional Access Administrator (recommended - least privilege)
- Security Administrator
- Global Administrator
Required Licenses
- Microsoft Entra ID P1 or higher for each user in scope
- Included in: Microsoft 365 Business Premium, E3, E5, or standalone Entra ID P1/P2
Pre-Configuration Requirements
Before creating this policy, ensure:
- Emergency access accounts exist - At least 2 break-glass accounts are created (see PA-03 guide)
- Users have registered MFA methods - Run an MFA registration campaign if registration is low
- A pilot group is ready - Recommended for initial testing before full rollout
Time Estimate
| Task | Duration |
|---|---|
| Policy creation | 10-15 minutes |
| Pilot testing | 1-2 days |
| Full rollout | 5-10 minutes |
| Total | 2-3 days including testing |
Step-by-Step Instructions
Step 1: Navigate to Conditional Access
- Sign in to the Microsoft Entra admin center
- In the left navigation, expand Protection
- Select Conditional Access
- Click Policies in the submenu
Step 2: Create a New Policy
- Click + New policy at the top of the policies list
- Enter a descriptive name:
Require MFA for All Users
Step 3: Configure Users and Groups
- Under Assignments, click Users
- Select All users under Include
- Under Exclude, click Users and groups
- Add your emergency access accounts (e.g.,
BreakGlass1@contoso.onmicrosoft.com,BreakGlass2@contoso.onmicrosoft.com)
Important: Always exclude emergency access accounts. Without this exclusion, a misconfiguration could lock out your entire tenant.
Step 4: Configure Target Resources
- Under Target resources, click Cloud apps
- Select All cloud apps under Include
- Leave Exclude empty (or exclude specific apps if you have documented exceptions)
Step 5: Configure Conditions (Optional)
For the baseline MFA policy, no conditions are typically configured. However, you may consider:
- Client apps: Leave as default (applies to all client apps including browser and mobile)
- Device platforms: Leave unconfigured for universal enforcement
Step 6: Configure Access Controls
- Under Access controls, click Grant
- Select Grant access
- Check Require multifactor authentication
- Click Select
Step 7: Configure Session Controls (Optional)
For a baseline policy, session controls are typically not configured. See CA-07 and CA-11 for session-specific controls.
Step 8: Enable the Policy
Recommended approach - Start with Report-only:
- Under Enable policy, select Report-only
- Click Create
- Monitor the Sign-in logs for 1-2 days to validate impact
- Once validated, edit the policy and change to On
Direct enablement (if confident):
- Under Enable policy, select On
- Click Create
Verification Checklist
After enabling the policy, verify successful implementation:
Immediate Checks
- Policy appears in the Conditional Access policies list with status "On"
- Emergency access accounts are listed in the exclusions
- No syntax errors or warnings appear on the policy
Sign-in Log Validation
- Navigate to Entra admin center > Monitoring > Sign-in logs
- Filter for recent sign-ins
- Click on a sign-in and check the Conditional Access tab
- Verify your policy appears with result "Success" or "Failure" (not "Not applied")
Test User Validation
- Sign out and sign in with a test user account (not an emergency access account)
- Verify MFA prompt appears
- Complete MFA successfully
- Confirm access to applications is granted
Emergency Account Validation
- Sign in with one emergency access account
- Verify MFA is NOT prompted (policy exclusion working)
- Document this test for audit purposes
Troubleshooting
Policy Not Applied
Symptom: Users are not prompted for MFA despite policy being enabled.
Solutions:
- Verify the policy is set to "On" (not "Report-only")
- Check if users have another policy granting access without MFA
- Ensure users are not excluded via group membership
- Confirm the user's license includes Conditional Access
Users Locked Out
Symptom: Users cannot authenticate and receive an error.
Solutions:
- Check if users have registered MFA methods (Entra admin center > Users > Authentication methods)
- Verify the user is not blocked or disabled
- Use the Sign-in diagnostic tool in Entra admin center
- Temporarily disable the policy while investigating
Emergency Account Prompted for MFA
Symptom: Break-glass accounts are being asked for MFA.
Solutions:
- Edit the policy and verify the emergency accounts are in the Exclude list
- Check for typos in the excluded account UPNs
- Ensure no other policy is requiring MFA for these accounts
- Use the "What If" tool to validate exclusions
What If Tool
Use the "What If" tool to troubleshoot before making changes:
- Navigate to Conditional Access > Policies
- Click What If at the top
- Select a user and resource
- Review which policies would apply and their outcomes
Policy Configuration Summary
| Setting | Value |
|---|---|
| Policy Name | Require MFA for All Users |
| Users - Include | All users |
| Users - Exclude | Emergency access accounts |
| Cloud Apps | All cloud apps |
| Conditions | None |
| Grant | Require multifactor authentication |
| Session | None |
| Enable Policy | On |
Related Controls
- PA-03: Configure Emergency Access Accounts (prerequisite)
- CA-02: Require MFA for All Administrators (additional protection)
- ID-01: User MFA Registration (ensure users can complete MFA)
- ID-02: Block Legacy Authentication (prevent MFA bypass)