Microsoft-managed Conditional Access policies!

What’s happening?

A very important incoming change is that Microsoft will now deploy and enforce their own Conditional Access polices in your tenant. This change will be notified in advance in the admin message center under Feature ID 183905

What is a Conditional Access policy?

Hopefully you already know this, but in case you’re unfamiliar: Conditional Access (CA) is one of the cornerstones of Identity-security in Entra ID. The short and simple description is that every single login is subject for evaluation automatically by Entra ID, and based on a potentially large number of factors you can determine if and how and what a user can gain access to. The most common example is to enforce Multifactor Authentication when a user logs in (and you REALLY should), but you can also customize the rules down to very specific access under very specific conditions. For example, enforce FIDO2 keys for admin accounts, block login from unmanaged devices etc etc.

Overview of Conditional Access sources for evaluation (screenshot from Microsoft)

What policies will Microsoft implement?

Depending on your current licenses and setup for Entra ID you will recieve 1-3 Microsoft managed CA policies.

  • Require multifactor authentication for admin portals
    • Who will receive this policy:
      • All customers
    • What the policy does:
      • This policy covers privileged admin roles and requires MFA when an admin signs into a Microsoft admin portal.
  • Require multifactor authentication for per-user multifactor authentication users
    • Who will receive this policy:
      • Existing per-user-MFA customers (legacy MFA portal which you should seriously stop using)
    • What the policy does:
      • This policy applies to users with per-user MFA and requires MFA for all cloud apps. It helps organizations transition to Conditional Access.
  • Require multifactor authentication for high-risk sign-ins
    • Who will receive this policy:
      • Current Microsoft Entra ID Premium Plan 2 customers
    • What the policy does:
      • This policy covers all users and requires MFA and reauthentication during high-risk sign-ins.

But I don’t want these policies

Well, you absolutely should protect your user accounts as much as you possibly can, and enforcing MFA on all accounts always, is still one of the most (if not the most) effective way to protect your cloud environment. There are of course some exceptions where enforcing MFA is not viable, but they are exceptions and not the rule.

After the policies arrive in your tenant you will be notified and they will be in “Report-only” mode for 90 days be fire they are activated. So you have ample time to add exceptions or deactivate these CA polices.

However they do form a good baseline and I can’t overstate the importance of securing your accounts, so just because you can exclude or deactivate these policies doesn’t mean that you should. Please don’t exclude MFA requirements because it’s the easy solution or it somehow is the “default” in you mind.

None of my tenants has received these Conditional Access policies yet, but I will make a new post when/if they do.

Until next time….

Author

  • Per-Torben Sørensen has 25 years experience in IT and Microsoft infrastructure. He is currently an MCT and works as a Technical Architect within M365 at Crayon. His passion is Entra ID and Identity and access management and helps customers become "copilot-ready". He's also a engaged speaker and is always eager to share his knowledge and learn from others.

    View all posts

Discover more from Agder in the cloud

Subscribe to get the latest posts sent to your email.

By Per-Torben Sørensen

Per-Torben Sørensen has 25 years experience in IT and Microsoft infrastructure. He is currently an MCT and works as a Technical Architect within M365 at Crayon. His passion is Entra ID and Identity and access management and helps customers become "copilot-ready". He's also a engaged speaker and is always eager to share his knowledge and learn from others.

Related Post

Leave a Reply