Multifactor Authentication (MFA) in Retail and Login Options to Offline POS and Processes
In this article
Here is an overview on when Multifactor Authentication (MFA) needs to be setup and when it is enforced, when authenticating to different services, based on your configurations.
| Scenario | MFA Setup Requirement | MFA Enforcement | Service Example | Notes |
|---|---|---|---|---|
| Security Defaults Enabled User Accessing Non-Admin Service ( for example, LS Central POS) | MFA setup is required for all users. | MFA is not enforced during normal service access (for example, accessing LS Central SaaS, logging into POS). | LS Central SaaS / Online POS Offline POS using Entra ID auth | Users must set up MFA, but it is not enforced to use MFA to access these services, since they do not have administrator roles. |
| Mandatory MFA for Certain Applications after 10/15/2024 | MFA setup is required for all users. | MFA is enforced for specific applications listed by Microsoft, and this cannot be turned off via Conditional Access policies. | Applications Listed by Microsoft | MFA is required and enforced for certain apps/services after 10/15/2024 (such as MS Entra Admin Center, MS 365 Admin Center, Azure Portal). |
| Conditional Access Policy Applied for MFA Enforcement | MFA setup is required for all users. | MFA is enforced during login if Conditional Access policy is configured specifically for the service (for example, Business Central). | LS Central SaaS / Online POS Offline POS using Entra ID auth | Conditional Access policies can enforce MFA for specific apps or scenarios where higher security is needed, such as Business Central Online / LS Central SaaS / Offline POS using Entra ID. Conditional Access policies can be assigned per user and service, if needed. |
Key points
-
MFA Setup: All users must set up MFA when Security Defaults are enabled.
-
MFA Enforcement: The enforcement of MFA depends on the activity and the configuration. MFA is enforced during administrative actions or high-risk activities but not necessarily for regular logins (such as, Business Central or LS Central POS).
-
Conditional Access Policies: To enforce MFA on certain services (LS Central SaaS / Offline POS using Entra ID authentication), Conditional Access policies can be configured. Without such policies, MFA may only be required to be set up but not enforced.
-
Mandatory MFA after 10/15/2024: For certain Microsoft applications, MFA will be enforced and cannot be disabled via Conditional Access policies.
Detailed information
Security defaults
Security defaults in Microsoft Entra ID make it easier to help protect your organization from identity-related attacks like password spray, replay, and phishing common in today's environments.
Microsoft is making these preconfigured security settings available to everyone, because they know managing security can be difficult.
- Based on their findings more than 99.9% of those common identity-related attacks are stopped by using multifactor authentication and blocking legacy authentication.
- Microsoft goal is to ensure that all organizations have at least a basic level of security enabled at no extra cost.
Beginning from October 22, 2019, Microsoft is enabling security defaults for newly created tenants, by default. If you, as a partner or a customer, are the owner of a tenant that was created before October 22, 2019, Microsoft advises you to enable the security defaults for your tenant.
Enabling security defaults in Microsoft Entra is essential for organizations with Microsoft Entra Free licenses to protect against identity-related attacks.
-
These attacks can lead to unauthorized access, financial loss, and reputational damage.
-
Security defaults require all users to register for multifactor authentication (MFA), ensure administrators use MFA, and to block legacy authentication protocols.
-
This significantly reduces the risk of successful attacks, as more than 99% of common identity-related attacks are stopped by using MFA and blocking legacy authentication. Security defaults offer baseline protection at no extra cost, making them accessible for all organizations.
More information:
Security defaults in Microsoft Entra ID - https://learn.microsoft.com/en-us/entra/fundamentals/security-defaults
Enable Microsoft Entra ID security defaults - https://learn.microsoft.com/en-us/entra/fundamentals/configure-security#enable-microsoft-entra-id-security-defaults
Note: Security defaults in Entra ID requires users to set up Multi-Factor Authentication (MFA) but only enforce MFA during administrator-level actions or high-risk activities. MFA is not enforced for all services unless specifically configured through Conditional Access policies for particular applications or scenarios.
How security defaults impacts a Retail POS
When using Security defaults in Entra ID, if user is accessing an online POS in LS Central SaaS (same applies if running Offline POSes and using the AccessControlService credential type, that relies on Entra ID for the authentication), by default MFA is not enforced, since the user does not have any administrator-level roles in Entra ID.
In retail/hospitality, from the user experience perspective, this is very practical because it does not requires the user to use MFA. Some partners shared this as a concern because that would require MFA, for instance, to be configured in staff's personal device.
Conditional Access policies to enforce MFA in Business Central Online / LS Central SaaS
Other more complex security requirements for your customer's organization might also be a reason to consider using Conditional Access rather than the Security defaults.
- If, for security reasons, the organization wants MFA to be enforced when logging in to Business Central, it is possible to set up Conditional Access policies specifically for particular applications and scenarios.
- Conditional Access policies requires a Premium (paid) plan (for example, Entra ID P1 or P2). This should not be a concern for larger organizations that are already using Conditional Access policies to fulfill their security requirements related to other Microsoft 365 services.
More information:
Setting up Multifactor Authentication (MFA) for Business Central - Setting up Multifactor Authentication (MFA) for Business Central
Microsoft Entra Conditional Access - Microsoft Entra Conditional Access documentation
Conditional Access templates - Conditional Access policy templates
According to the following article, MFA will be mandatory after 10/15/2024, but this only applies to a list of applications listed in the article. Note: This means that to access one of these applications, the user must have MFA enabled and is enforced to use MFA, no matter what. This is a requirement and turning the requirement off using a Conditional Policy is not possible.
More information:
Mandatory Microsoft Entra multifactor authentication (MFA) - Microsoft Entra ID | Microsoft Learn - Planning for mandatory multifactor authentication for Azure and other admin portals