This is exactly what I needed, a straight to the point comparison between all the options. I spent several hours figuring out the difference based on the documentation and random Yt videos, even spend a couple of bucks on Udemy courses which all lack this info. Great content and style subscribed!
enabling mfa is a must have and do like the order you proposed . however, i believe mfa via identify protection requires p2 what happen if user has p1 license? will the user not be prompted for mfa
Correct it is a p2 feature. Msft service description calls out that it gets enabled tenant wide, but deployment should be scoped to licensed users. learn.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#how-is-the-service-provisioneddeployed-1
Using CA you can adjust the Sign in Frequency and Browser Sessions. learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime With these you could potentially used Device Filters to target different classes of devices.
This is exactly what I needed, a straight to the point comparison between all the options. I spent several hours figuring out the difference based on the documentation and random Yt videos, even spend a couple of bucks on Udemy courses which all lack this info. Great content and style subscribed!
Excellent!
Glad you liked it!
enabling mfa is a must have and do like the order you proposed . however, i believe mfa via identify protection requires p2 what happen if user has p1 license? will the user not be prompted for mfa
Correct it is a p2 feature. Msft service description calls out that it gets enabled tenant wide, but deployment should be scoped to licensed users. learn.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#how-is-the-service-provisioneddeployed-1
Is it possible to differentiate with "number of days users can trust devices"? So some users will have devices trust for 30 days, and others for 180?
Using CA you can adjust the Sign in Frequency and Browser Sessions. learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime With these you could potentially used Device Filters to target different classes of devices.