cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Baseline security policy for Azure AD admin accounts in public preview!
By
Alex Simons (AZURE)
Published Sep 07 2018 09:16 AM 42.2K Views
Alex Simons (AZURE)
Microsoft
‎Sep 07 2018 09:16 AM

Baseline security policy for Azure AD admin accounts in public preview!

‎Sep 07 2018 09:16 AM
First published on CloudBlogs on Jun, 22 2018
Howdy folks, Identity attacks have increased by 300% in the last year. To protect our customers from these ever-increasing attacks, Microsoft is embarking on a journey to rollout baseline protection. To that end, I'm excited to announce today the public preview of the first baseline policy to protect privileged Azure AD accounts. This baseline policy will be available by default to all Azure AD tenants and will require MFA for privileged Azure AD accounts. Attackers who get control of privileged accounts can do tremendous damage, so it's critical to protect these accounts first. The following Azure AD roles are covered by this policy:
  1. Global administrator
  2. SharePoint administrator
  3. Exchange administrator
  4. Conditional access administrator
  5. Security administrator
During the public preview phase, we've made it easy for you to opt into the baseline policy with a "one-click" experience. After general availability, we're going to opt you into the policy by default but provide you the configuration to opt out at any time. We highly recommend you opt into the policy immediately. We've heard from early adopters about this new policy, and wanted to share a piece of feedback with you that sums up their experience: "I literally turned it on without telling my engineers, no one noticed the change because the experience is inline with their expectation of elevated privilege. At the same time, I can now show my security team with one easy configuration page that our elevated privilege access on these products are designed with security first in mind."

Get started today

To enable baseline policy, follow the steps below:
  1. Sign-in to the Azure portal with a global administrator, security administrator, or conditional access administrator account
  2. Navigate to the Conditional access blade. You'll see the baseline policy to require MFA for admins
  3. Click on the baseline policy
  4. To enable the policy immediately, select "Use policy immediately"

  5. Exclude users or groups as appropriate ( Recommendation: Exclude one " emergency-access administrative account " to ensure you are not locked out of the tenant)
  6. Save the policy
To verify your baseline policy is set to go, sign in with one of the accounts in the directory role. You should see an MFA prompt. Don't forget to review the FAQ section to learn more about this new feature.

Tell us what you think

As always, we want to hear your feedback! Please let us know what you think of this new policy and how it's working for you. We're listening! Best regards, Alex Simons (Twitter: @Alex_A_Simons ) Director of Program Management Microsoft Identity Division
4 Comments
Thijs Lecomte
Bronze Contributor
‎Sep 28 2018 01:42 PM
‎Sep 28 2018 01:42 PM

Hi

 

Any idea when this will be enabled? I am part of a fairly large MSP in Belgium and I would like to warn my clients.

Could you provide me with an estimated time?

 

Kind regards

Ashley Plant
Copper Contributor
‎Oct 12 2018 03:32 AM
‎Oct 12 2018 03:32 AM

Hi, I have enabled this and also set the MFA settings to 'skip MFA for requests from federated users on my intranet', I have checked the claims rule in ADFS (Server 2012R2) and that looks OK. However I am being prompted when on our internal network for MFA. Just to assist my troubleshooting please can I check as this Baseline Policy is in Preview mode that it does support the MFA (and ADFS) settings.

 

Thanks,

0 Likes
Like
Robert Grayson
Copper Contributor
‎Nov 11 2018 06:57 PM
‎Nov 11 2018 06:57 PM

Can Microsoft allow trusted locations in the baseline policy? We already turn on MFA for Global Admins, but for scripts that can't do MFA the trusted locations prevents these script accounts from being used from outside our network. If we exclude the user from the baseline policy then our security position will be worse.

Greg Bristow
Copper Contributor
‎Nov 12 2018 04:36 PM
‎Nov 12 2018 04:36 PM

Hi i would also like to understand when Microsoft is enabling this as a default setting. can you please provide a rough estimate of when this will be set as the base policy.

Version history
Last update:
‎Jul 24 2020 01:56 AM
Updated by: