Our goal is to establish a strong identity on a trustworthy device, in some edge-cases (see BYOD approaches) we might want to allow usage of an untrusted device but add additional controls e.g. DLP on top of it. The following is just one example how the journey could look like, the timing can also be slightly different e.g. trustworthy devices before the MFA rollout.

Maturity 1: No MFA rollout, maybe some trustworthy devices

• Trusted Location OR Trusted Device OR MFA (for all apps)
• AND Context based tightening (e.g. require MFA for a specific app, MFA rollout for a subset of users like admins, DLP controls for some apps)

Maturity 2: MFA rollout, maybe some trustworthy devices

• Trusted Location OR Trusted Device
  • Context based exceptions, possibly with session controls or app protection
• AND Risk based MFA

Maturity 3: MFA rollout & trustworthy devices

• Trusted Device
  • Context based exceptions, possibly with session controls or app protection
• AND Risk based MFA

Maturity 4: MFA rollout & trustworthy devices & WHFB rollout

• Trusted Device
  • Context based exceptions, possibly with session controls or app protection
• AND Always MFA: Only with WHFB/FIDO2 login on devices for MFA claim in PRT, this prevents MFA fatigue