Microsoft has released (globally available) a new form of Conditional Access (CA) policies. This CA policy requires users to use MFA when accessing admin portals.
In the past most people required MFA for users who have specific admin roles. Best practices state that MFA was required for users with one or more of the following admin roles:
- Global Administrator
- Application Administrator
- Authentication Administrator
- Billing Administrator
- Cloud Application Administrator
- Conditional Access Administrator
- Exchange Administrator
- Helpdesk Administrator
- Password Administrator
- Privileged Authentication Administrator
- Privileged Role Administrator
- Security Administrator
- SharePoint Administrator
- User Administrator
There’s absolutely nothing wrong with a CA policy like this and i’ll probably keep using this together with the new Admin Portals MFA policy. If you are using the admin roles CA policy, it could lead to more MFA prompts for these users when accessing normal resources.
The new CA policy requires everyone to use MFA when entering one of the admin portals, no matter what type of roles your identity has. Although the new CA policy has some limitations in terms of admin portals. Some of them are not (yet) included in this CA policy!
Microsoft SharePoint admin center
Microsoft Teams admin center
Microsoft Azure portal
Microsoft Exchange admin center
Microsoft Entra admin center
Microsoft Purview portal
Microsoft 365 admin center
Microsoft Intune admin center
Microsoft 365 Defender portal
How to implement?
The new CA policy is available as a template. I’ll advise to use the template and modify the settings to your specific needs.
1: Click New policy from template
2: Click Protect administrator
3: Select Require multifactor authentication for Microsoft admin portals
4: click Review + create
5: Select policy state Report only. We enable the policy later.
6: Click Create
Open the newly created CA policy and modify the settings to your needs. My recommendations are shown below.
- Remove the current excluded user. This is the user who created the CA policy in the steps before. Only remove this exclusion by un-selecting the Users and groups setting if the user has already configured MFA for its identity.
- If you make use of Break the Glass accounts you should exclude these from this policy!
- To my opinion sign-in frequency should be in the template. I’ll require my admins to reauthenticate after 4 hours but even lower could be more secure.
Optionally configure one of the following settings:
- Phishing resistant MFA (You should do this already)
- Block specific countries or allow specific countries
- Required compliant/hybrid AAD joined device
The last and most important step is to enable the policy!
Happy securing! 🙂