🛡️ Essential 8 Guide

Multi-factor authentication is used to authenticate users to their organisation’s online services that process, store or communicate their organisation’s sensitive data.

Summary

Multi-factor authentication (MFA) strengthens access control by requiring an additional verification factor for users accessing the organisation’s online services that process, store or transmit sensitive data¹. If the only service uses Entra ID SSO authentication, create a Conditional Access policy requiring MFA for that app using the Entra ID Portal².

“Sensitive data” in the Australian Government context means data classified as OFFICIAL: Sensitive or higher under the PSPF. This includes personal privacy information, legal-privilege material, health records, and other information where disclosure could cause limited to significant harm.³

The required CA grant control varies by maturity level. At ML1, any MFA method satisfies the control. At ML2 and ML3, the CA grant must use Require authentication strength → Phishing-resistant MFA, restricting authentication to FIDO2 keys, Windows Hello for Business (TPM), certificate-based authentication, or device-bound passkeys only.⁴⁵

Design Decision

[!NOTE] The MFA for Volume Licensing Central Conditional Access policy will be created in the Microsoft Entra ID Portal to require multifactor authentication for all users accessing the Volume Licensing Central app. It will be applied via Conditional Access targeting Volume Licensing Central and will enforce MFA for all sign-ins.

Prerequisites

• Permissions/Roles:
  • Global Administrator or an equivalent admin role with permission to manage security settings in Microsoft Entra ID, including the ability to configure Conditional Access policies and MFA. ²
  • Conditional Access Administrator to create and manage Conditional Access policies. ⁴
• Dependencies:
  • Access to the Microsoft Entra admin center to create and manage Conditional Access policies and enable MFA. ¹
  • Ability to create and enable a Conditional Access policy that requires MFA for all users accessing the target resources. ¹
  • If you plan to enforce device-based controls, ensure devices are enrolled in Intune and/or are Microsoft Entra hybrid joined, with corresponding compliance policies in place. ⁴
  • If Conditional Access is not available in the tenant, consider using Security Defaults or Per-User MFA as alternatives. ²

Implementation Steps

Create conditional access policy requiring MFA for Entra ID SSO app (Volume Licensing Central)

1. Sign in to Microsoft Entra Admin Centre as a Global Admin (or Conditional Access Admin).¹
2. Browse to Entra ID > Conditional Access > Overview, select + Create new policy.¹
3. Enter a name for the policy, such as MFA for Volume Licensing Central.¹
4. Under Assignments, select Users or workload identities. Under Include, choose All Users.¹
5. Under Target Resources, verify that Resources (Formerly cloud apps) is selected. Under Include, choose Select Apps. Then under Include, choose Select resources. Click None under Select to clear any preselected items, then in the new window select Microsoft Admin Portals and click Select.¹
6. You can generally leave Conditions at defaults (all locations, all device states).¹
7. Under Access controls > Grant, choose Require multi-factor authentication. Ensure no conflicting controls (like Block access) are selected.¹
8. Enable the policy: On to enforce MFA. To apply the Conditional Access policy, select Create.¹
9. After enabling, the policy will prompt any user for MFA when they sign into Volume Licensing Central. If they’ve already satisfied MFA recently, they might not be prompted on every login by default.¹

Alternative methods if Conditional Access is not available

1. Security Defaults: If your tenant supports it, you can enable Security Defaults to require MFA broadly. This solution applies MFA to sign-ins across apps, not just Volume Licensing Central. [Not provided in source documentation]²

2. Per-User MFA (Legacy): As a fallback, enable MFA on a per-user basis for Volume Licensing Central users. This is less scalable and is generally not recommended over Conditional Access. [Not provided in source documentation]²

Note: The above alternatives are described in the source as fallback options if Conditional Access is not available. They apply MFA in broader or per-user scopes rather than a targeted policy for Volume Licensing Central. ²

MFA grant control by maturity level

[!NOTE] Use “Require authentication strength” (available in Entra Conditional Access under Access controls → Grant) rather than the legacy “Require multi-factor authentication” grant when targeting ML2/ML3, as it enforces the specific method set and cannot be satisfied by weaker methods such as SMS OTP.⁵

Additional related information

• Essential Eight MFA conditional access policies provide planning and deployment guidance for MFA across Entra ID Configure Essential Eight MFA conditional access policies
• Essential Eight MFA authentication strengths outline defined authentication strength levels used in MFA policies Configure Essential Eight MFA authentication strengths
• Require a compliant device, Microsoft Entra hybrid joined device, or multifactor authentication for all users describes layered Conditional Access options including device compliance and hybrid join Require a compliant device, Microsoft Entra hybrid joined device, or multifactor authentication for all users
• System-preferred multifactor authentication provides a managed MFA posture and can complement CA policies System-preferred multifactor authentication - Authentication methods policy
• Microsoft Entra ID and PCI-DSS Requirement 8 covers MFA enforcement for privileged access and CDE with CA and PIM guidance Microsoft Entra ID and PCI-DSS Requirement 8
• Security defaults in Microsoft Entra ID helps enforce tenant-wide MFA when Conditional Access isn’t available Security defaults in Microsoft Entra ID