Microsoft Managed Entra ID Conditional Access policies are coming to eligible tenants

In November last year, Microsoft announced the “auto-rollout of Microsoft Entra Conditional Access policies that will automatically protect tenants based on risk signals, licensing, and usage.” This means that all tenants with at least Entra ID P1 license will receive the Microsoft Managed conditional access policies with the intention to reduce the risk of accounts being hacked because of the lack of MFA requirement in the customer tenants.

In a study conducted by Microsoft they found out that MFA reduces the risk of an account being compromised bij 99,2%! So, if you haven’t implemented the proper policies, now is the time to take action, or Microsoft will enforce the new policies to go active after 90 days.


What does this mean for your environment?

When you have the required licenses you will get up to 3 MICROSOFT-MANAGED Entra ID conditional access policies in your tenant. If you do nothing, Microsoft will automatically enable the policies with possibly destructive impact.

Require multifactor authentication for admin portalsTenants with Entra ID Premium P1 and P2 licenses where security defaults aren’t enabled.This policy covers privileged admin roles and requires multifactor authentication when an admin signs into a Microsoft admin portal.
Require multifactor authentication for per-user multifactor authentication usersExisting per-user multifactor authentication customers and tenants with Entra ID Premium P1 and P2 licenses where security defaults aren’t enabledThis policy applies to users with per-user multifactor authentication and requires multifactor authentication for all cloud apps. It helps organizations transition to Conditional Access.
Require multifactor authentication for high-risk sign-insMicrosoft Entra ID Premium Plan 2 customersThis policy covers all users and requires multifactor authentication and reauthentication during high-risk sign-ins.

Let’s take a better look into the policies. When created the policies will be configured to report-only. If you don’t take action the policy will change to Active after 90 days. When you’ve enabled logging you should receive valuable information in your log analytics workspace. But even without Microsoft is giving you valuable information on the possible impact.

One example below is that for certain roles MFA is always required. However, if you keep a break glass account without MFA, but with other conditional access policies assigned to keep it safe (IP whitelisting and/or trusted devices, etc.) You might want that account to be excluded.

image 1

Below are the 14 included roles to enforce MFA.

image 2

Per User MFA requires a bit more explanation. When organizations are still using the per user MFA setting using the old MFA portal, this requires a lot more administration and creating the risk of forgetting to enable and/or require MFA for end users. With conditional access policies the old MFA portal is obsolete and this policy has been created to transition from the MFA portal to conditional access policies.

image 3

What action should I take?

When you see the policies in your tenant you have 90 days to take action. From the newly created Microsoft Managed policy click on the policy and click on the Edit button.

image 4

If you want to keep using the Microsoft Managed policies you might need to Exclude some accounts.

image 6

If you want to use the Microsoft Managed policies make sure to select the On setting. If you have your own conditional access policies in place make sure to change the setting to Off.

image 5

Microsoft strongly believes that user are more safe with MFA than without MFA. And I strongly agree and I cannot emphasize more that you should enforce MFA for all your users, and certainly for your admin accounts and/or roles.

Although this comes with additional cost (Entra ID Premium P1 or P2 license required), the cost of security is nothing compared of being hacked with potential data loss or reputation damage.

Automatic Conditional Access policies in Microsoft Entra streamline identity protection | Microsoft Security Blog

Add a Comment

Your email address will not be published. Required fields are marked *