CA-01: Require MFA via Conditional Access Policy
Frequently asked questions about implementing and managing the CA-01 security control in Microsoft 365 and Entra ID.
QWhat is CA-01 (Require MFA via Conditional Access Policy)?▼
CA-01 is a security control that conditional access policies provide granular mfa enforcement with proper exclusions. unlike security defaults, ca policies allow you to exclude emergency access accounts while still protecting all users. It requires that at least one conditional access policy requires mfa for all users and policy applies to all cloud applications, emergency access accounts are excluded, policy state is enabled (not report-only).
QWhy is Require MFA via Conditional Access Policy important for Microsoft 365 security?▼
Conditional Access policies provide granular MFA enforcement with proper exclusions. Unlike Security Defaults, CA policies allow you to exclude emergency access accounts while still protecting all users.
QHow do I implement CA-01 in my tenant?▼
TrueConfig provides one-click remediation for CA-01. Creates a Conditional Access policy requiring MFA for all users
QWhat license do I need for CA-01?▼
This control requires Azure AD Premium P1 (included in Microsoft 365 E3) or higher.
QWhich security baseline includes CA-01?▼
CA-01 is included in the TrueConfig Recommended Secure baseline (Level 1). This is the foundation level suitable for most organizations.
QWhy is CA-01 marked as critical severity?▼
CA-01 is rated critical because failure to implement this control significantly increases the risk of security incidents. Conditional Access policies provide granular MFA enforcement with proper exclusions. Unlike Security Defaults, CA policies allow you to exclude emergency access accounts while still protecting all users.
6
Questions
1
Related Controls
—
Categorized
Related Resources
Still have questions?
Our security experts are here to help. Start a free trial and get personalized guidance for your Microsoft 365 environment.
Start Free Trial