The ADA checks around MFA, Conditional Access, and Security Defaults for Azure are conflicting and soon to be irrelevant.

Security Defaults
The "Ensure Security Defaults is enabled on Azure Active Directory" control (ADA 2.8.1, Azure CIS 1.1.1) conflicts with ADA checks 2.14.5, 2.14.6, 2.15.1, and 2.15.2, which require Conditional Access policies to be configured. Azure requires Security Defaults to be disabled in order to make use of Conditional Access.

The principal concern that required Conditional Access was the enforcement of MFA:

• 2.14.5 - Ensure that a Multi-factor Authentication Policy Exists for All Users
• 2.14.6 - Ensure Multi-factor Authentication is Required for Risky Sign-ins
• 2.15.1 - Ensure that a Multi-factor Authentication Policy Exists for Administrative Groups
• 2.15.2 - Ensure Multi-factor Authentication is Required for Azure Management

Conditional Access
Conditional Access policies serve other valuable control functions and should not be impeded by a requirement for Security Defaults. Only one or the other can be enabled at any given time.

Azure MFA
The above policies will soon cease to be an issue as Microsoft will mandatorily enforce MFA for all users on all entrypoints in July 2025. Enforcement is already in place for the Azure Portal, Microsoft Entra admin center, and Microsoft Intune admin center. Starting 1 July 2025, MFA enforcement will gradually begin for Azure CLI, Azure PowerShell, Azure mobile app, IaC tools, and REST API endpoints.

This change will also make the remaining Azure MFA checks redundant:

• 2.14.3 - Ensure that "Multi-Factor Auth Status" is "Enabled" for all Privileged Users
• 2.14.8 - Ensure that "Multi-Factor Auth Status" is "Enabled" for all Non-Privileged Users

Recommendation: Remove ADA 2.8.1, 2.14.3, 2.14.5, 2.14.6, 2.14.8, 2.15.1, 2.15.2