Skip to content

Legacy MFA vs Conditional Access

Stephen Hicks
Stephen Hicks
|
December 26, 2023

Subscribe to get updates!

Table of Contents

Cybersecurity Fundamentals Training

Endsight provides a complimentary cybersecurity training. Our goal is to bring awareness of the latest trends and best practices to help reduce cyber risk for our customers, our business community, and their families.

Register Now

 

We’re all moving into the cloud. As our clients increasingly rely on Microsoft 365, multifactor authentication is of paramount importance in protecting user accounts – Microsoft even says it’s 99.9% effective. There are three ways to implement MFA in Microsoft land: Security Defaults (which we won’t address here as it’s not flexible enough for us), Legacy MFA, and Conditional Access. While both Legacy MFA and Conditional Access aim to bolster protection, they differ significantly in their scope, flexibility, and application.

 

Legacy Per User Multifactor Authentication

Legacy Per User Multifactor Authentication, as the name suggests, focuses on individual user accounts. This method involves ‘turning on’ MFA for users one at a time. While Legacy Per User Multifactor Authentication adds an extra layer of security, it has limitations. It does not apply to all users universally, and it lacks the ability to differentiate between user roles or the context of access attempts. This can lead to configuration drift, where our intended design (everyone having MFA) gradually drifts away from that idea.

 

Conditional Access

Conditional Access, on the other hand, introduces a more sophisticated and context-aware approach to authentication. This method has several advantages; it can evaluate a range of factors before granting access to a user. These factors can include user location, device health, network status, time of access, and more. By considering these contextual elements, organizations can dynamically adjust the level of authentication required based on the perceived risk of the access attempt.

Conditional Access is also group based, allowing us to move to an ‘opt out’ approach where everyone is subject to the ‘condition’, (in this case, multifactor) and they must be intentionally excluded. This granular approach enhances both security and user experience. For instance, we can easily report who isn’t registered for MFA, correct the situation, and move forward quickly without further drift.

 

Key Differences

The primary distinction between Legacy Per User Multifactor Authentication and Conditional Access lies in their adaptability. Legacy methods treat all users uniquely, while Conditional Access tailors security measures to the specific circumstances of each access request and can be applied universally. This results in a more seamless experience for users, reducing friction while maintaining a high level of protection against potential threats.

Organizations should consider a move to Conditional Access. It does have a licensing requirement, and that requirement is met easily by Microsoft’s most popular Small to Medium Business SKU – Microsoft 365 Business Premium. A properly configured Conditional Access policy is half of the strongest defense we have today against account compromise. We recommend evaluating this solution for appropriateness in all Microsoft 365 environments.


Endsight adds a new award to a growing list of accolades and recognition

Throughout 2024, we're proud to announce that we won some amazing awards! These accolades continue to show our team's..

Understanding Phish Testing and Its Importance

Phish Testing: Why It’s a Must for Your Cybersecurity Strategy Phish testing and training are essential components of..

Key Insights from Our Webinar: Fixing Your Winery’s Data Problems

We Hosted a Webinar—Here’s What You Missed On October 17th, we hosted an insightful webinar titled Optimizing Your..