Until now, the only way to activate MFA on your tenant via Office Protect was the "Enable Security Defaults" setting. It was unusable for tenants with Azure Active Directory Premium as Security Defaults and Conditional Access Policies are mutually exclusive and cannot be enabled at the same time.


To enable the creation of Conditional Access Policies for tenants licensed with Azure AD Premium, we redesigned the "Enable Security Defaults" setting which becomes "Enable MFA".


Changes impact:


        1 - Tenant without Azure Active Directory Premium:


Enable Security Defaults was activated on your tenant: Security Defaults will remain active.


Enable Security Defaults was disabled on your tenant: no changes.


        2 - Tenant with Azure Active Directory Premium:


Enable Security Defaults was activated on your tenant:

  • Security Defaults will remain active by default.
  • You can now choose the value "Via CA when available": 
    • Office Protect will automatically create two Conditional Access Policies on your tenant and Security Defaults will be disabled. The security level remains the same for your tenant (see "How does it work?" section below).
    • If Office Protect detects that these MFA Conditional Access Policies are removed or edited, you will receive a "Microsoft 365 setting changed outside Office Protect" event. 
    • With this configuration, you will now be able to apply other Conditional Access Policies if you want to.
    • If you choose to apply this value to a setting profile, Security Defaults will be activated on tenants without Azure Active Directory Premium 
  • If you want to enable your own MFA Conditional Access Policies, you can choose "Do not modify (Ignore)".


You can apply "Via CA when available" on a setting profile. For tenants associated with this profile and licensed Azure AD Premium, CA policies will be created. For tenants associated to this profile and not licensed Azure AD Premium, Security Defaults will be activated.



Enable Security Defaults was disabled on your tenant:

  • You haven't configured any MFA Conditional Access Policies on your tenant: no changes.
  • You already configured MFA Conditional Access Policies: you can either select the "Do not modify (Ignore)" value so Office Protect will disregard your MFA configuration, or select "Via CA when available" to benefit from Office Protect MFA policies.


Please note that if you enable MFA via Conditional Access in Office Protect and you have other active policies, the most restrictive one will be applied.



How does it work?


Whether the setting is enabled through Security Defaults or MFA Conditional Access Policies, your tenant is protected with the same security level:

  • All users are required to register for Azure AD Multifactor Authentication
  • All administrators are required to do multifactor authentication
  • Users are required to do multifactor authentication when necessary
  • Legacy authentication protocols are blocked
  • Privileged activities like access to the Azure portal are protected


When Office Protect enables MFA through Conditional Access Policies, these two policies are created for your tenant:

  • MFA Policy (OP): Grants access to all cloud applications after all users have been required to do MFA 
  • Block Legacy Authentication Policy (OP): Blocks access to call cloud applications using a legacy authentication 


You can access these policies from your Microsoft Azure AD administration center > "Protect & secure" > "Conditional Access". To avoid any malfunction, we strongly recommend you do not edit policies created by Office Protect.