What’s happening?
A very important incoming change is that Microsoft will now deploy and enforce their own Conditional Access polices in your tenant. This change will be notified in advance in the admin message center under Feature ID 183905
What is a Conditional Access policy?
Hopefully you already know this, but in case you’re unfamiliar: Conditional Access (CA) is one of the cornerstones of Identity-security in Entra ID. The short and simple description is that every single login is subject for evaluation automatically by Entra ID, and based on a potentially large number of factors you can determine if and how and what a user can gain access to. The most common example is to enforce Multifactor Authentication when a user logs in (and you REALLY should), but you can also customize the rules down to very specific access under very specific conditions. For example, enforce FIDO2 keys for admin accounts, block login from unmanaged devices etc etc.
What policies will Microsoft implement?
Depending on your current licenses and setup for Entra ID you will recieve 1-3 Microsoft managed CA policies.
- Require multifactor authentication for admin portals
- Who will receive this policy:
- All customers
- What the policy does:
- This policy covers privileged admin roles and requires MFA when an admin signs into a Microsoft admin portal.
- This policy covers privileged admin roles and requires MFA when an admin signs into a Microsoft admin portal.
- Who will receive this policy:
- Require multifactor authentication for per-user multifactor authentication users
- Who will receive this policy:
- Existing per-user-MFA customers (legacy MFA portal which you should seriously stop using)
- What the policy does:
- This policy applies to users with per-user MFA and requires MFA for all cloud apps. It helps organizations transition to Conditional Access.
- This policy applies to users with per-user MFA and requires MFA for all cloud apps. It helps organizations transition to Conditional Access.
- Who will receive this policy:
- Require multifactor authentication for high-risk sign-ins
- Who will receive this policy:
- Current Microsoft Entra ID Premium Plan 2 customers
- What the policy does:
- This policy covers all users and requires MFA and reauthentication during high-risk sign-ins.
- This policy covers all users and requires MFA and reauthentication during high-risk sign-ins.
- Who will receive this policy:
But I don’t want these policies
Well, you absolutely should protect your user accounts as much as you possibly can, and enforcing MFA on all accounts always, is still one of the most (if not the most) effective way to protect your cloud environment. There are of course some exceptions where enforcing MFA is not viable, but they are exceptions and not the rule.
After the policies arrive in your tenant you will be notified and they will be in “Report-only” mode for 90 days be fire they are activated. So you have ample time to add exceptions or deactivate these CA polices.
However they do form a good baseline and I can’t overstate the importance of securing your accounts, so just because you can exclude or deactivate these policies doesn’t mean that you should. Please don’t exclude MFA requirements because it’s the easy solution or it somehow is the “default” in you mind.
None of my tenants has received these Conditional Access policies yet, but I will make a new post when/if they do.
Until next time….
Discover more from Agder in the cloud
Subscribe to get the latest posts sent to your email.