Enterprise MFA Posture Assessment

Microsoft Entra ID, Conditional Access, Duo MFA, and Passwordless Authentication

This project demonstrates one way to analyze, document, and clearly explain a complex enterprise multi-factor authentication (MFA) environment spanning Microsoft Entra ID, Conditional Access, third-party MFA (Duo), and modern passwordless authentication models.

Rather than deploying new infrastructure, this effort focused on accurately determining how MFA is actually enforced today, resolving ambiguity created by legacy UI views, overlapping controls, and mixed MFA providers.

Project Objective

The central question driving this project was:

“How is MFA enforced in the tenant today, and which provider is responsible for enforcement?”

In Microsoft Entra ID, MFA is not a static user setting. It is evaluated dynamically at sign-in time based on Conditional Access policy logic. This project establishes a defensible, policy-driven MFA posture suitable for audits, security reviews, and architectural planning.


Project Diagram

User Sign-in Conditional Access Evaluation Microsoft Entra MFA Duo MFA (Third-Party) MFA Enforced MSAdminPortalsMfa DuoArubaHPE DuoCatoVPN DuoCheckpoint DuoMFAO365 DuoMistPortal Passwordless / Auth Strength (PasskeyFido2Test)

Enterprise MFA Enforcement Flow (Conditional Access)

Why This Analysis Was Necessary

  • Multiple Conditional Access policies existed with overlapping scopes
  • Duo MFA and Microsoft MFA were both in use
  • Passwordless FIDO2 authentication was in pilot
  • Legacy per-user MFA views no longer reflected enforcement reality

Without structured analysis, it was not possible to confidently answer leadership questions about MFA coverage or provider responsibility.

MFA Enforcement Model

All sign-ins are evaluated by Conditional Access and routed into one of three enforcement paths:

  • Microsoft Entra MFA (native enforcement)
  • Duo MFA (third-party enforcement via custom grant control)
  • Passwordless Authentication (authentication strength, not MFA)

Policies Enforcing Duo MFA

The following Conditional Access policies enforce MFA using Duo via a custom grant control (RequireDuoMfa). MFA occurs, but Microsoft Entra MFA is not invoked.

  • DuoArubaHPE
  • DuoCatoVPN
  • DuoCheckpoint
  • DuoMFAO365
  • DuoMistPortal

These policies are application-scoped and delegate authentication challenges to Duo, which asserts the result back to Entra ID.

Policies Enforcing Microsoft Entra MFA

The following policies use the native Conditional Access grant control “Require multifactor authentication” and invoke Microsoft Entra MFA directly:

  • MFA Enforced
  • MSAdminPortalsMfa

These represent baseline and privileged-access MFA enforcement aligned with Microsoft best practices.

Passwordless Authentication (Not MFA)

One policy enforces phishing-resistant, passwordless authentication using FIDO2 passkeys:

  • PasskeyFido2Test

This policy intentionally replaces MFA with strong single-factor authentication and is not counted as an MFA enforcement policy.

Final MFA Posture Summary

MFA enforcement in the environment follows a deliberate hybrid model:

  • Microsoft Entra MFA is used for core and administrative access
  • Duo MFA is used for application-specific access paths
  • Passwordless authentication is piloted separately
  • Legacy per-user MFA views are not relied upon

This architecture aligns with Zero Trust principles while supporting varied application security requirements.

Relevant Skills

  • Microsoft Entra ID & Conditional Access
  • MFA architecture and enforcement modeling
  • Duo MFA integration analysis
  • Passwordless authentication evaluation
  • Policy-driven security assessment
  • Enterprise identity troubleshooting
  • Clear security documentation for leadership and audits
Previous

Multi-Cloud Terraform CI/CD Governance Pipeline
Next

Secure Cloud SFTP Integration & Host Key Rotation Readiness (Azure Blob Storage)