MicrosoftWe are attempting to move from Security Defaults to the Conditional Access Policies, and to try and replicate the existing settings included by Security Defaults, have set up the 4 common policies as noted here
However my question is in replicating the 'Require MFA for all users' where it discusses excluding cloud apps that do not require MFA. Can we assume since there is no granularity in setting up Security Defaults for exclusions, that means ALL of the long list of Cloud Apps we technically have are already being silently set to 'require' MFA - and since we've had no issues everything would be fine to replicate that exactly? Or do Security Defaults specifically only then default to requiring MFA for all users for only M365/O365 apps behind the scenes, thus we'd need to granularly go through the lists to exclude? Also related to this, is there any order of precedence or supersedence then on the conditional access policies? For example we are looking at requiring using Duo, so would be setting up a limited test Duo Conditional Access policy, but want that including only the test subjects, so if we also have the Require MFA for all users otherwise set up, do we specifically have to exclude that same group of users in that policy, to avoid both policies conflicting and/or doubling up somehow?
