Policy Scope
This policy applies universally across the environment:
Users: All users are included, with no exclusions for individuals, groups, or roles
Applications: All cloud applications are protected
Client App Types: All client apps are included (browser and modern authentication clients)
Access Context: No differentiation based on device state, platform, location, network, or authentication context
There are no exclusions or conditional carve-outs, making this a deliberately broad and uncompromising control.
Conditions
The policy does not rely on adaptive or risk-based signals. Specifically:
No user risk or sign-in risk conditions are evaluated
No device compliance, operating system, or platform filters are applied
No trusted location or named location exemptions exist
No time-based or authentication context conditions are defined
As a result, MFA is enforced consistently for every sign-in attempt, regardless of perceived risk or environment.
Access Controls
Access is governed entirely through grant controls:
Required control: Multi-factor authentication (MFA)
Operator: OR (MFA is the only configured control, making it mandatory)
No alternative controls (such as compliant device or hybrid join) are permitted
No authentication strength profiles or custom authentication factors are configured
Users must successfully complete MFA to be granted access — there are no secondary paths to access.
Session Controls
No session controls are configured. The policy focuses solely on authentication enforcement at sign-in, rather than post-authentication session behaviour such as sign-in frequency or browser persistence.
Security Outcome
This policy provides a foundational identity security control, significantly reducing the risk of:
Password spray attacks
Phishing-based credential compromise
Reuse of stolen or leaked credentials
By enforcing MFA universally and without exception, it ensures that single-factor authentication is fully removed from the tenant.