🎯 Purpose
✅ Enforce multi‑factor authentication (MFA) for all users, meeting Essential Eight – Maturity Level 1 requirements.
👥 Who is affected
✅ Users: All users
🚫 Exclusions: None
➡️ Every user must use MFA. No exceptions.
☁️ What access is protected
✅ Applications: All cloud applications
✅ Client types: Browser, mobile, desktop
➡️ Any sign‑in to Microsoft cloud services requires MFA.
🔐 How MFA is enforced
✅ MFA required for every sign‑in
✅ Implemented using a custom Authentication Strength
✅ Any sign‑in must satisfy Microsoft’s MFA definition
➡️ Password‑only sign‑ins are blocked.
ℹ️ Note:
Authentication Strength is used to enforce MFA consistently and support future uplift to higher Essential Eight maturity levels.
⚙️ What this policy does NOT enforce
🚫 Device compliance
🚫 Location restrictions
🚫 Platform restrictions
🚫 Terms of Use
➡️ This is intentional for Maturity Level 1.
🟢 Policy status
✅ Enabled
✅ Actively enforcing MFA
📘 Essential Eight Alignment
✅ Meets Essential Eight – Multi‑Factor Authentication (Maturity Level 1)
✅ MFA is enforced for all users and all applications
ℹ️ Phishing‑resistant MFA (e.g. FIDO2, WHfB) is not required at M1 and is addressed in M2/M3
📘 Practical Interpretation (Executive-Friendly)
This Conditional Access policy ensures that:
✅ Every user
✅ Accessing any Microsoft cloud resource
✅ Must authenticate using multi‑factor authentication
This establishes the minimum-security baseline required by Essential Eight Maturity Level 1 and provides a clear foundation for progressing to stronger authentication controls in Maturity Levels 2 and 3.