Forum Discussion
Restrict Global Admin MFA Methods
Thank you much for the information. Unfortunately we were hoping to have a separate registration policy for our global admins, but from what you had posted and everything else I have been looking at it does not appear that this is an option.
Again, thank you ChristianBergstrom
shannonhamby No worries! You can certainly separate users/groups and admins using different policies but to force them using different verification options as set in the MFA settings I'm not aware of. As far as I know it's a "tenant setting" but then again I don't usually configure these settings.
I did notice an identical request in the Azure feedback forum though but no response from MS.
Anyone know if this can be done? VasilMichev PeterRising Thanks!
Ex.
Group A - Call to phone (only)
Group B - Text message to phone (only)
Group C - Verification code from mobile app or hardware token (only)
Not possible afaik, you can block specific options globally, or leave it to the users themselves. Perhaps in the future we will be able to scope this on a group basis, much like we can do for primary/passwordless auth today (https://portal.azure.com/#blade/Microsoft_AAD_IAM/AuthenticationMethodsMenuBlade/AdminAuthMethods)
VasilMichev is correct. Not possible at the moment.
If you have concerns over the security of your privileged admin accounts though, you could look at minimising the risk by setting up Privileged Identity Management and making some of these accounts eligible for these roles instead of having them permanently. This is an Azure AD Premium P2 feature, but well worth it if you can justify it.
The P2 licence will also give you Identity protection which enables risk based conditional access based on user and sign in risk. Not what you were asking for I appreciate, but it may offer an alternative means of protecting your environment and reducing the number of privileged accounts,
- Thanks to you as well! Good to know my reply to Shannon was correct. Cheers mate!
- Appreciate the reply, thanks!
