November 7, 2023 at 12:49PM
Microsoft is introducing three new Conditional Access policies to promote multi-factor authentication (MFA) in organizations. The policies will be deployed in report-only mode, giving customers 90 days to review and opt out if needed. The first policy requires MFA for privileged admin accounts accessing Microsoft admin portals. The other two policies apply to customers using legacy per-user MFA and high-risk sign-ins. Microsoft aims to increase MFA uptake to 100 percent and encourages the use of Conditional Access policies for more granular control. They have seen significant reductions in account compromises with MFA enabled.
In the recent meeting, it was discussed that Microsoft is introducing three Conditional Access policies for sysadmins with the aim of promoting the implementation of multi-factor authentication (MFA) in organizations. These policies will be automatically deployed in a report-only mode to eligible customers’ tenants. Customers will have a 90-day window to review and opt-out of the policies if necessary, otherwise, they will be automatically enabled after this time.
Of the three policies, Microsoft is urging the adoption of the first one, which applies to Entra ID Premium Plans 1 and 2. This policy requires privileged admin accounts to complete MFA when accessing Microsoft admin portals like Azure, Microsoft 365 admin center, and Exchange admin center. Although admins can choose to opt out of this policy, Microsoft plans to increase the number of MFA requirements on specific interactions in the future.
The other two policies apply to a smaller subset of customers. For those using the legacy per-user implementation of MFA, logins to cloud apps will require MFA across the board. This policy aims to transition away from per-user deployment and towards using Conditional Access as the standard. Customers on the Microsoft Entra ID Premium Plan 2 have their own policy, which requires MFA for all high-risk sign-ins, specifically those from accounts that have exhibited abnormal behavior.
Microsoft’s goal is to increase MFA adoption to 100 percent of all customers. Currently, only 37 percent utilize MFA, but newer tenants have a higher adoption rate. The “security defaults” initiative launched in 2019 has led to over 80 percent of new customers keeping MFA enabled. Microsoft also started rolling out security defaults to existing customers in 2022, resulting in over 94 percent of small and medium-sized enterprises (SMEs) keeping MFA enabled.
Despite these efforts, Microsoft acknowledges that the overall MFA uptake is still below the ideal target. The company’s research shows that MFA can reduce the risk of account takeover by over 99 percent and customers with security defaults enabled experience 80 percent fewer compromises. In response to customer feedback, Microsoft is providing clear and customizable policy recommendations through its Microsoft-managed Conditional Access policies.
Alex Weinert, VP Identity Security at Microsoft, stated that Conditional Access policies offer clear and self-deploying guidance, allowing customers to tune the policies according to their specific needs. Microsoft will also offer tailored policies for specific organizations in the future. Weinert compared MFA to seatbelts, noting the decrease in traffic-related injuries after their introduction as a legal requirement. Similarly, consumer account compromises significantly decreased when Microsoft enabled MFA by default in 2013.