I started this blog post series with “How to get started with Conditional Access” and will continue with some use cases. This use cases can be combined or be implemented stand alone – it all depends what you are your organisation want to accomplish.

In this use case we just add a extra layer of security on top on Office 365 web access – that can also be other applications like sharepoint, Service Now and other apps that provided a web access through Azure Active directory. This is a typical request I get from customers – and it is a easy way to get started with Conditional Access.
The layout is to get a MFA request when:

  • Accessing Exchange Online
  • From a webbrowser
  • Outside of the corporate network
  • On any devices

Note: MFA for Office 365 requires modern authentication enabled

Start the Azure Active Directory admin center

  1. Click Azure Active Directory
  2. Click Conditional Access

CA - MFA on Exchange Online - 01

  1. Click New policy

CA - MFA on Exchange Online - 02

  1. Enter a name that makes sense to you : “Ca – Require MFA for EXO”
  2. Select Assignments
  3. Select All users

It is recommended to do this at a test group first, and go into production in faces

CA - MFA on Exchange Online - 03.png

  1. Select Cloud apps
  2. Select Selected apps
  3. Select Office 365 Exchange Online

CA - MFA on Exchange Online - 04.png

  1. Select Conditions
  2. Select Device Platform
  3. Click Configure – Yes
  4. Select All platforms (Including unsupported)

If you for some reason what different rules on different OS then here is the place to select it

CA - MFA on Exchange Online - 05

  1. Select Conditions
  2. Select Locations
  3. Select Configure – Yes
  4. Select Any location

CA - MFA on Exchange Online - 06

If you only want the MFA to applies from outside your corporate network

  1. Select Locations
  2. Select Exclude
  3. Click Selected locations
  4. Click Select
  5. Select MFA Trusted IPs

CA - MFA on Exchange Online - 07

  1. Select Conditions
  2. Select Client Apps
  3. Select Configure – Yes
  4. Select only browser

If you are not deselection “Mobile apps and desktop client” the MFA will have effect on Outlook and other mail apps as well

CA - MFA on Exchange Online - 07a

  1. Select Access controls
  2. Select “Require multi-factor authentication”

CA - MFA on Exchange Online - 08

Now the Conditional Access rule are created and will first take effect when you sets the Enable policy to On

CA - MFA on Exchange Online - 09

Now for the end user experience:

In this case my user Jane Doe start the Exchange Online web access at https://outlook.office.com/owa/

She is prompted with the normal Sign in page

User Expirence 01

Enters the password

User Expirence 01a.png

Then the MFA kicks in and she is prompted for the text code to the authentication phone

User Expirence 02

Then she has access as normally.

User Expirence 03

It is recommended to get the end user to MFA enroll before enabling the Conditional Access policy so that you can ensure that they have access after the Conditional Access policy enforcement. When the policy is enabled the first time the end user logins in to Exchange Online webaccess they are prompted to enroll into AzureMFA – but your end users can do the in advance on this site https://aka.ms/mfasetup


Read more:

Deploy cloud-based Azure Multi-Factor Authentication
If you not already have enabled modern auth in office 365 then check this out :
Enable or disable modern authentication in Exchange Online