# MFA is enforced on accounts with Highly Privileged Roles

## Description

Require users to perform MFA to access highly privileged roles. This configuration provides a backup policy to enforce MFA for highly privileged users in case the main conditional access policy—which requires MFA for all users—is disabled or misconfigured.

## Policy

* MFA shall be required for users to access highly privileged roles
* Highly Privileged roles include the following:
  * Global Administrator
  * Privileged Role Administrator
  * User Administrator
  * SharePoint Administrator
  * Exchange Administrator
  * Hybrid Identity Administrator
  * Application Administrator
  * Teams Administrator
* One emergency access account shall be excluded from the MFA policy

## Licensing Considerations

Enforcing MFA for privileged roles through conditional access requires an Azure AD P1 license which can be purchased standalone or through the following common plans:

o   Microsoft 365 Business Premium

o   EMS + E3 or EMS + E5

o   Microsoft 365 E3

o   Microsoft 365 E5

## Set Up Instructions

1\. Create a Conditional Access Policy with the [Templates:  available](https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-policy-common#conditional-access-templates-preview)

2\. Chose the “Require Multi-Factor authentication for Admins” setting

3\. Modify the policy to ensure your emergency access user/group is excluded

## End-User Impact 

{% hint style="info" %}
Level: <mark style="color:green;">Low</mark>
{% endhint %}

End-User impact is low due to this policy scoped to a small set of users. The end-user experience is the same as the previous section. The user experience will vary depending on which MFA methods you have set up.

{% hint style="info" %}
Tips

* Create a group in Azure Active Directory used to place all accounts excluded from MFA. This would be your emergency break-glass account and a service accounts such as the Azure AD Connect sync service account.
* If you are able to enforce phishing-resistant MFA across all users, at minimum try to enable it for accounts with privileged roles (Global Admins, User Admins, etc.)
* Turn the Conditional Access Policy to “Report-Only” mode to get information around how many users in the organization this will impact before turning the policy on.
  {% endhint %}

## PowerShell Scripts

Viewing Global Admins without MFA: [Security/Customer-Global Admin without MFA.ps1 at master · msp4msps/Security (github.com)](https://github.com/msp4msps/Security/blob/master/Customer-Global%20Admin%20without%20MFA.ps1)

Conditional Access Policies as Code: [Azure-Samples/azure-ad-conditional-access-apis: Use Conditional Access Graph APIs to manage policies like code. Automate approvals to promote policies from preproduction environments, backup and restore, monitor change, and plan ahead for emergencies. (github.com)](https://github.com/Azure-Samples/azure-ad-conditional-access-apis)

## Videos

{% embed url="<https://www.youtube.com/watch?v=DFwERh9Xxk0>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.tminus365.com/security/azure-ad-entra/mfa-is-enforced-on-accounts-with-highly-privileged-roles.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.