November 6, 2023 at 03:05PM
Microsoft will be implementing Conditional Access policies that require multifactor authentication (MFA) from administrators when logging into Microsoft admin portals. These policies will also require MFA for cloud apps and high-risk sign-ins. Admins will have 90 days to review and enable these policies. Microsoft recommends opting for MFA to protect user access.
Based on the meeting notes, here are the key takeaways:
1. Microsoft will be implementing Conditional Access policies that require multifactor authentication (MFA) for administrators when signing into Microsoft admin portals such as Microsoft Entra, Microsoft 365, Exchange, and Azure.
2. There will be policies rolled out that require MFA for per-user MFA users for all cloud apps and MFA for high-risk sign-ins (available to Microsoft Entra ID Premium Plan 2 customers).
3. These policies will be added in report-only mode to eligible Microsoft Entra tenants starting next week. Admins will have 90 days to review and decide whether to enable them or not.
4. Conditional Access policies that are not toggled off within 90 days after the rollout will be automatically enabled by Microsoft.
5. Microsoft strongly recommends that multifactor authentication be used to protect all user access to admin portals. Opting out of these policies is possible, but Microsoft may increasingly require MFA for specific interactions.
6. The policies can be found in the Microsoft Entra admin center under Protection > Conditional Access > Policies.
7. Administrators with the Conditional Access Administrator role can modify the state (On, Off, or Report-only) for the policies and exclude certain identities (Users, Groups, and Roles) within the policy.
8. Emergency access or break-glass accounts should be excluded from these policies, similar to other Conditional Access policies.
9. Microsoft allows for further customization of the policies by cloning them and tailoring them according to specific needs.
10. The goal is to achieve 100 percent multifactor authentication, as studies show it significantly reduces the risk of account takeover.
11. Microsoft aims to combine machine learning-based policy insights and recommendations with automated policy rollout to enhance security posture.