MFA is enforced on accounts with Highly Privileged Roles

Description

Require users to perform MFA to access highly privileged roles. This configuration provides a backup policy to enforce MFA for highly privileged users in case the main conditional access policy—which requires MFA for all users—is disabled or misconfigured.

Policy

  • MFA shall be required for users to access highly privileged roles

  • Highly Privileged roles include the following:

    • Global Administrator

    • Privileged Role Administrator

    • User Administrator

    • SharePoint Administrator

    • Exchange Administrator

    • Hybrid Identity Administrator

    • Application Administrator

    • Teams Administrator

  • One emergency access account shall be excluded from the MFA policy

Licensing Considerations

Enforcing MFA for privileged roles through conditional access requires an Azure AD P1 license which can be purchased standalone or through the following common plans:

o Microsoft 365 Business Premium

o EMS + E3 or EMS + E5

o Microsoft 365 E3

o Microsoft 365 E5

Set Up Instructions

1. Create a Conditional Access Policy with the Templates: available

2. Chose the “Require Multi-Factor authentication for Admins” setting

3. Modify the policy to ensure your emergency access user/group is excluded

End-User Impact

Level: Low

End-User impact is low due to this policy scoped to a small set of users. The end-user experience is the same as the previous section. The user experience will vary depending on which MFA methods you have set up.

Tips

  • Create a group in Azure Active Directory used to place all accounts excluded from MFA. This would be your emergency break-glass account and a service accounts such as the Azure AD Connect sync service account.

  • If you are able to enforce phishing-resistant MFA across all users, at minimum try to enable it for accounts with privileged roles (Global Admins, User Admins, etc.)

  • Turn the Conditional Access Policy to “Report-Only” mode to get information around how many users in the organization this will impact before turning the policy on.

PowerShell Scripts

Viewing Global Admins without MFA: Security/Customer-Global Admin without MFA.ps1 at master · msp4msps/Security (github.com)

Conditional Access Policies as Code: Azure-Samples/azure-ad-conditional-access-apis: Use Conditional Access Graph APIs to manage policies like code. Automate approvals to promote policies from preproduction environments, backup and restore, monitor change, and plan ahead for emergencies. (github.com)

Videos

PreviousMFA Shall Be Required for All UsersNextMFA is enforced for Azure Management

Last updated