First published on CloudBlogs on Jun, 22 2018
Howdy folks, Identity attacks have increased by 300% in the last year. To protect our customers from these ever-increasing attacks, Microsoft is embarking on a journey to rollout baseline protection. To that end, I'm excited to announce today the public preview of the first baseline policy to protect privileged Azure AD accounts. This baseline policy will be available by default to all Azure AD tenants and will require MFA for privileged Azure AD accounts. Attackers who get control of privileged accounts can do tremendous damage, so it's critical to protect these accounts first. The following Azure AD roles are covered by this policy:
  1. Global administrator
  2. SharePoint administrator
  3. Exchange administrator
  4. Conditional access administrator
  5. Security administrator
During the public preview phase, we've made it easy for you to opt into the baseline policy with a "one-click" experience. After general availability, we're going to opt you into the policy by default but provide you the configuration to opt out at any time. We highly recommend you opt into the policy immediately. We've heard from early adopters about this new policy, and wanted to share a piece of feedback with you that sums up their experience: "I literally turned it on without telling my engineers, no one noticed the change because the experience is inline with their expectation of elevated privilege. At the same time, I can now show my security team with one easy configuration page that our elevated privilege access on these products are designed with security first in mind."

Get started today

To enable baseline policy, follow the steps below:
  1. Sign-in to the Azure portal with a global administrator, security administrator, or conditional access administrator account
  2. Navigate to the Conditional access blade. You'll see the baseline policy to require MFA for admins
  3. Click on the baseline policy
  4. To enable the policy immediately, select "Use policy immediately"

  5. Exclude users or groups as appropriate ( Recommendation: Exclude one " emergency-access administrative account " to ensure you are not locked out of the tenant)
  6. Save the policy
To verify your baseline policy is set to go, sign in with one of the accounts in the directory role. You should see an MFA prompt. Don't forget to review the FAQ section to learn more about this new feature.

Tell us what you think

As always, we want to hear your feedback! Please let us know what you think of this new policy and how it's working for you. We're listening! Best regards, Alex Simons (Twitter: @Alex_A_Simons ) Director of Program Management Microsoft Identity Division
Established Member



Any idea when this will be enabled? I am part of a fairly large MSP in Belgium and I would like to warn my clients.

Could you provide me with an estimated time?


Kind regards

Senior Member

Hi, I have enabled this and also set the MFA settings to 'skip MFA for requests from federated users on my intranet', I have checked the claims rule in ADFS (Server 2012R2) and that looks OK. However I am being prompted when on our internal network for MFA. Just to assist my troubleshooting please can I check as this Baseline Policy is in Preview mode that it does support the MFA (and ADFS) settings.



Can Microsoft allow trusted locations in the baseline policy? We already turn on MFA for Global Admins, but for scripts that can't do MFA the trusted locations prevents these script accounts from being used from outside our network. If we exclude the user from the baseline policy then our security position will be worse.

Occasional Contributor

Hi i would also like to understand when Microsoft is enabling this as a default setting. can you please provide a rough estimate of when this will be set as the base policy.