In a recent update, Microsoft announced that all Azure AD tenants will require MFA for privileged Azure AD accounts through a “Baseline” Conditional Access Policy.
Privileged Azure AD accounts have unrestricted access to your environment. Multi-Factor Authentication (MFA) typically, Username, Password and verification PIN or Biometric, adds a critical second layer of security. The most common privileged account type is the Global Administrator. There are 5 account types or roles which Microsoft is protecting in this “Public Preview” baseline policy, namely:
- Global administrator
- SharePoint administrator
- Exchange administrator
- Conditional access administrator
- Security administrator
Baseline protection is a set of predefined conditional access policies. The goal of these policies is to ensure that you have at least the baseline level of security enabled.
The policy get’s created automatically by Microsoft in your Azure AD tenant – for those of you running Office 365 only, you too will have an Azure AD tenant to which this policy will apply. Conditional Access functionality ordinarily requires Azure AD Premium but this baseline protection will apply to all editions of Azure AD – Even Basic. Compare Azure AD editions
While managing custom conditional access policies requires an Azure AD Premium license, baseline policies are available in all editions of Azure AD.
While this feature is in “Public Preview”, the policy is not enabled by default, but instead set to “Automatically enable policy in the future”. When the feature becomes “Generally Available” or GA, the policy will be enabled by default on all new Azure AD tenants, and I assume “…in the future” means the GA date too. Since this date is undetermined at this stage, it could have an impact, albeit more secure, on your Admins.
It is advised to create what we call a “Break-glass” admin account which is specified in the excluded users section of the policy. An account password for a “Break-glass” account is usually separated into two or three parts, written on separate pieces of paper, and stored in secure, fireproof safes that are in secure, separate locations.
Once you have added accounts to the excluded users and groups section of the baseline policy, you should set the policy to “Use policy immediately” and test it by signing in with an account in one of the directory roles and you should get an MFA prompt.
For “just in time administrative access” consider using Privileged Identity Management available as an Azure Active Directory Premium P2 feature. Eligible admins should be users that need privileged access now and then, but not all-day, every day. The role is inactive until the user needs access, then they complete an activation process and become an active admin for a predetermined amount of time.