Streamline Your MFA Hardening Project: Migrating to Security Defaults and Conditional Access Policies in M365
Microsoft is deprecating Per-User MFA in September 2025. MSPs have the choice between upgrading their Microsoft tenants’ MFA security to Security Defaults or Conditional Access Policies. In this post, we’ll cover the strengths of each and how to get started with your MFA hardening/migration project.
Here’s a quick rundown of your current MFA options for M365:
Traditional Per-User Multifactor Authentication
Traditional Per-User Multifactor Authentication (MFA) is likely the method of MFA most of your clients are currently using. Per-User MFA involves enabling MFA for individual user accounts separately (Wooo Microsoft Portals). Although it enhances security, this approach has notable drawbacks. It isn’t universally applied and fails to consider different user roles or access contexts, leading to inconsistencies in security enforcement. It’s without a doubt better than no MFA requirements, but it is being deprecated in 2025 for a reason.
Security Defaults
Security Defaults bundle many settings together and provide decent overall security. They will enforce MFA on all accounts after a 14-day period, but they are non-customizable. When you apply Security Defaults to a tenant, every account inherits all the default options, leaving no way to pick and choose settings. Security Defaults are notorious for locking out someone, somewhere (think legacy systems). If you’ve got a million tenants that need a coverall, Security Defaults will do the trick, but it’s best to strive for Conditional Access Policies.
Conditional Access Policies
Conditional Access Policies provide a more refined, context-sensitive authentication method. It assesses various factors, including user location, device status, network conditions, and access time before granting access. This method adjusts authentication requirements based on the assessed risk, improving both security and user experience. Unlike the traditional method, Conditional Access is applied to groups, ensuring all users meet the conditions, unless specifically exempted. This minimizes security gaps and streamlines compliance and reporting. For example, you can block sign-ins from every country except your client’s home country, which alone will prevent a lot of security breaches from happening. While Security Defaults provide broad security coverage, they lack the flexibility and precision of Conditional Access Policies, making the latter a superior choice for tailored security needs.
Starting Your MFA Hardening/Migration Project
If you’ve ever used traditional methods, you know how time-consuming it can be to configure MFA for a single tenant, let alone for all of your clients. While enabling Entra ID Per User isn’t particularly difficult for a technician, the real challenge is identifying which users are still using legacy MFA. Without that information, where do you even start?
M365 doesn’t have any built-in features to provide a comprehensive report on account protection. While it’s possible to manually check each Microsoft portal and track everything in a spreadsheet, there are certainly better ways for your technicians to spend their time. Getting a targeted list before starting is crucial – and this is where Augmentt can save you loads of time!
Knowing Who to Migrate
Assuming your tenants are already on-boarded to Augmentt, navigate to Secure on the left side menu and run the MFA report. The report will give you a detailed view of who and how many users are or aren’t protected by Conditional Access Policies, Per-User MFA, and Security Defaults. This will give you the exact list of tenants and end-users across all your clients that need to be migrated to either a Conditional Access Policy or a Security Default.
Beat the deadline
Use your MFA report as a list of tenants that need to be migrated before September 2025. If you’re not currently an Augmentt customer, you can still run our free threat report, which will tell you how many accounts are NOT protected by MFA. The free report will give a good sense of where your M365 security stands today and how much or little work you have ahead of you.
Congratulations of becoming a new Augmentt Partner. We are excited at the opportunity to work with you and your team. We understand that you are incredibly busy so we have…
When it comes to Augmentt Discover, we believe in flexibility and power. Augmentt Discover can collect SaaS usage data using both an Agent and Agentless model. Here is a quick…
Thank you for starting your Augmentt Product Evaluation and Trial Here are a few resources that will help you through this technical process. Support Technical Support is available to…
Augmentt is a centralized SaaS security platform built for MSPs to deliver scalable managed security services for Microsoft and cloud apps. Our multi-tenant platform gives you visibility across all your end-users to easily audit, protect and detect security threats for a holistic approach to cyber security.
This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.
Strictly Necessary Cookies
Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.
If you disable this cookie, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.