Baseline security policy for Azure AD admin accounts in public preview!
First published on CloudBlogs on Jun, 22 2018
Identity attacks have increased by 300% in the last year. To protect our customers from these ever-increasing attacks, Microsoft is embarking on a journey to rollout baseline protection. To that end, I'm excited to announce today the public preview of the first baseline policy to protect privileged Azure AD accounts.
This baseline policy will be available by default to all Azure AD tenants and will require MFA for privileged Azure AD accounts. Attackers who get control of privileged accounts can do tremendous damage, so it's critical to protect these accounts first. The following Azure AD roles are covered by this policy:
Conditional access administrator
During the public preview phase, we've made it easy for you to opt into the baseline policy with a "one-click" experience. After general availability, we're going to opt you into the policy by default but provide you the configuration to opt out at any time. We
recommend you opt into the policy immediately.
We've heard from early adopters about this new policy, and wanted to share a piece of feedback with you that sums up their experience:
"I literally turned it on without telling my engineers, no one noticed the change because the experience is inline with their expectation of elevated privilege. At the same time, I can now show my security team with one easy configuration page that our elevated privilege access on these products are designed with security first in mind."
Get started today
To enable baseline policy, follow the steps below:
To verify your baseline policy is set to go, sign in with one of the accounts in the directory role. You should see an MFA prompt.
Don't forget to review the
to learn more about this new feature.
Tell us what you think
As always, we want to hear your feedback! Please let us know what you think of this new policy and how it's working for you. We're listening!
Alex Simons (Twitter:
Director of Program Management
Microsoft Identity Division