Description

Require users to perform MFA to access highly privileged roles. This configuration provides a backup policy to enforce MFA for highly privileged users in case the main conditional access policy—which requires MFA for all users—is disabled or misconfigured.

Policy

• MFA shall be required for users to access highly privileged roles

• Highly Privileged roles include the following:

  • Global Administrator

  • Privileged Role Administrator

  • User Administrator

  • SharePoint Administrator

  • Exchange Administrator

  • Hybrid Identity Administrator

  • Application Administrator

  • Teams Administrator

• One emergency access account shall be excluded from the MFA policy

Licensing Considerations

Enforcing MFA for privileged roles through conditional access requires an Azure AD P1 license which can be purchased standalone or through the following common plans:

o Microsoft 365 Business Premium

o EMS + E3 or EMS + E5

o Microsoft 365 E3

o Microsoft 365 E5

Set Up Instructions

1. Create a Conditional Access Policy with the Templates: available

2. Chose the “Require Multi-Factor authentication for Admins” setting

3. Modify the policy to ensure your emergency access user/group is excluded

End-User Impact

End-User impact is low due to this policy scoped to a small set of users. The end-user experience is the same as the previous section. The user experience will vary depending on which MFA methods you have set up.

PowerShell Scripts

Viewing Global Admins without MFA: Security/Customer-Global Admin without MFA.ps1 at master · msp4msps/Security (github.com)

Conditional Access Policies as Code: Azure-Samples/azure-ad-conditional-access-apis: Use Conditional Access Graph APIs to manage policies like code. Automate approvals to promote policies from preproduction environments, backup and restore, monitor change, and plan ahead for emergencies. (github.com)

Videos