This July, Azure teams will begin rolling out additional tenant-level security measures to require multi-factor authentication (MFA). Establishing this security baseline at the tenant level puts in p...
Updated May 17, 2024
Version 4.0Blog Post
I just ran the report suggested https://azuread.github.io/MSIdentityTools/commands/Export-MsIdAzureMfaReport/
This did not help, and added even more confusion, my service accounts did not even show, nothing with onmicrosoft.com showed instead it just showed our domain accounts. So I have opened up a ticket with MS to try to get clearer info, I am still genuinely shocked that we don't have key answers on how to exempt service accounts, what happens to federated accounts like those of us that have OKTA as our source of truth. The potential impacts here are vast, and the time sunk in to discover what is happening pull me away from other important tasks, the whole process does not seem very well thought out. If I get some good info from MS support I will share it, and if anyone else has anything new I would really like to hear it. It has been over a week since RenePosthumus shared info with us after opening a ticket and we still have no updates!
Cheers.
UPDATE: It looks like you can exempt any accounts you want using CA policy, why it took so long for them to tell us this is surprising. Adding all of my admin accounts and service accounts to policy this week.
"This requirement for MFA at sign-in is implemented by Azure. Microsoft https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-sign-ins will show it as the source of the MFA requirement.
This requirement will be implemented on top of any access policies you’ve configured in your tenant. For example, if your organization chose to retain Microsoft’s security defaults, and you currently have security defaults enabled, your users will see no change in behavior as MFA is already required for Azure management. If your tenant is using https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview policies in Microsoft Entra and you already have a Conditional Access policy through which users sign into Azure with MFA, then your users will not see a change. Similarly, if you have existing more restrictive Conditional Access policies in place targeting Azure that require stronger authentication, such as phishing-resistant MFA, then those policies will continue to be enforced and your users will not see any changes."