MFA admin policy and user policy

%3CLINGO-SUB%20id%3D%22lingo-sub-3341096%22%20slang%3D%22en-US%22%3EMFA%20admin%20policy%20and%20user%20policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3341096%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20there%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3BI%20have%20a%20question%20about%20MFA%20all%20user%20policy%20and%20admin%20roles%20policy.%3C%2FP%3E%3CP%3E%26nbsp%3BI%20am%20actually%20not%20sure%20what%20is%20the%20best%20way%20to%20configure%20those%20policies%2C%20should%20I%20create%20all%20user%20policy%20with%20the%20inclusion%20of%20all%20users%20and%20exclusion%20of%20directory%20roles%20and%20the%20admin%20policy%20for%20directory%20roles%20and%20exclude%20all%20users%3F%3CBR%20%2F%3Ewill%20users%20with%20AAD%20roles%20get%20MFA%20prompts%20if%20they%20did%20not%20elevate%20their%20privileges%20or%20what%2C%20while%20they%20have%20been%20excluded%20from%20the%20all%20users%20policy%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3BI%20tried%20it%20and%20tested%20it%20using%20two%20accounts%2C%20one%20with%20directory%20role%20and%20the%20other%20is%20just%20regular%20account%20with%20no%20roles%20assigned%20to.%3C%2FP%3E%3CP%3Ethe%20regular%20account%20gets%20MFA%20prompts%20every%20time%20they%20sign%20in%20to%20O365%20apps%2C%20but%20the%20user%20with%20permission%20(Global%20admin)%20gets%20nothing%20before%20elevate%20the%20privilege%20and%20after%2C%20even%20when%20I%20try%20to%20resign%20in.%3C%2FP%3E%3CP%3E%26nbsp%3BShouldn%E2%80%99t%20I%20exclude%20the%20directory%20roles%20from%20the%20all%20users%20policy%20and%20what%20is%20the%20best%20way%20to%20configure%20this%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ethanks%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-3341096%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EActive%20Directory%20(AD)%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAdministrator%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EConfiguration%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%20Management%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3342958%22%20slang%3D%22en-US%22%3ERe%3A%20MFA%20admin%20policy%20and%20user%20policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3342958%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1211398%22%20target%3D%22_blank%22%3E%40mohammadalkhateeb%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHello%20Mohammad%2C%3CBR%20%2F%3EConditional%20Access%20policies%20can%20be%20built%20based%20on%20users%20(Gues%2C%20Internal%2C%20External)%2C%20workstations%20(OS%20version%2C%20OS%20type%2C%20Compliance%2C%20Azure%20join)%2C%20and%20identities%20(Service%20accounts%2C%20resource%20identities).%20It%20makes%20sense%20to%20create%20more%20strict%20rules%20for%20your%20administrative%20accounts%20and%20even%20disallow%20them%20to%20access%20company%20resources%20from%20Not%20compliant%20and%2For%20Azure%20registered%20devices.%3CBR%20%2F%3EIt%20depends%20on%20your%20requirements.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHow%20do%20you%20administrators%20elevate%20their%20permissions%3F%20Do%20they%20use%20PIM%20(Privileged%20Identity%20Management)%3F%20If%20yes%2C%20please%20check%20this%3A%26nbsp%3B%3CA%20title%3D%22Multifactor%20authentication%20and%20Privileged%20Identity%20Management%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fprivileged-identity-management%2Fpim-how-to-require-mfa%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EMultifactor%20authentication%20and%20Privileged%20Identity%20Management%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3344294%22%20slang%3D%22en-US%22%3ERe%3A%20MFA%20admin%20policy%20and%20user%20policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3344294%22%20slang%3D%22en-US%22%3EHello%2C%3CBR%20%2F%3E%3CBR%20%2F%3EAdministrators%20already%20use%20PIM%20and%20all%20recommendations%20from%20Microsoft%20are%20followed%20on%20the%20top%20of%20that%20all%20admins%20required%20to%20use%20supported%20devices%20and%20trusted%20locations%20therefore%20cloud%20admins%20required%20to%20be%20at%20trusted%20location%20to%20elevate%20the%20privilege%20but%20if%20they%20come%20from%20untrusted%20location%20they%20will%20be%20getting%20MFA%20prompts%20if%20MFA%20was%20satisfied%20then%20they%20will%20be%20blocked%20from%20accessing%20the%20site%20because%20the%20trusted%20location%20policy.%3CBR%20%2F%3EMy%20issue%20is%20that%20admins%20lost%20MFA%20challenge%20as%20when%20they%20are%20regular%20users%20and%20they%20will%20never%20get%20MFA%20prompts%2C%20is%20this%20issue%20because%20they%20were%20excluded%20from%20All%20user%20policy%3F%20Should%20I%20include%20them%20in%20that%20policy%20or%20keep%20them%20excluded%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3344574%22%20slang%3D%22en-US%22%3ERe%3A%20MFA%20admin%20policy%20and%20user%20policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3344574%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1211398%22%20target%3D%22_blank%22%3E%40mohammadalkhateeb%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHello%20Mohammad%2C%3CBR%20%2F%3ESo%20you%20have%20users%20who%20are%20regular%2C%20but%20they%20can%20elevate%20their%20permissions.%3CBR%20%2F%3EAnd%20when%20they%20are%20regular%20users%20with%20regular%20permissions%20they%20do%20not%20have%20MFA.%3CBR%20%2F%3EIf%20the%20above%20is%20correct%2C%20so%20yes%2C%20you%20should%20include%20them%20in%20your%20%22All%20user%20policy%22.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20you%20open%20the%20Conditional%20Access%20tab%2C%20there%20is%20a%20%22What%20if%22%20tool%20in%20the%20upper%20bar.%20Use%20it%20to%20test%20your%20users%20and%20review%20what%20policies%20are%20applied%20to%20them.%20More%20information%20here%3A%26nbsp%3B%3CA%20title%3D%22What%20If%20tool%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Fwhat-if-tool%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EWhat%20If%20tool%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3344675%22%20slang%3D%22en-US%22%3ERe%3A%20MFA%20admin%20policy%20and%20user%20policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3344675%22%20slang%3D%22en-US%22%3EI%20completely%20forgot%20the%20whatif%20tool%2C%20apologies.%3CBR%20%2F%3E%3CBR%20%2F%3EThanks%20a%20lot%20for%20the%20help%2C%20much%20appreciate%20it%3C%2FLINGO-BODY%3E
Occasional Contributor

Hello there,

 

 I have a question about MFA all user policy and admin roles policy.

 I am actually not sure what is the best way to configure those policies, should I create all user policy with the inclusion of all users and exclusion of directory roles and the admin policy for directory roles and exclude all users?
will users with AAD roles get MFA prompts if they did not elevate their privileges or what, while they have been excluded from the all users policy?

 

 I tried it and tested it using two accounts, one with directory role and the other is just regular account with no roles assigned to.

the regular account gets MFA prompts every time they sign in to O365 apps, but the user with permission (Global admin) gets nothing before elevate the privilege and after, even when I try to resign in.

 Shouldn’t I exclude the directory roles from the all users policy and what is the best way to configure this?

 

thanks 

 

4 Replies

@mohammadalkhateeb 

Hello Mohammad,
Conditional Access policies can be built based on users (Gues, Internal, External), workstations (OS version, OS type, Compliance, Azure join), and identities (Service accounts, resource identities). It makes sense to create more strict rules for your administrative accounts and even disallow them to access company resources from Not compliant and/or Azure registered devices.
It depends on your requirements.

 

How do you administrators elevate their permissions? Do they use PIM (Privileged Identity Management)? If yes, please check this: Multifactor authentication and Privileged Identity Management 

Hello,

Administrators already use PIM and all recommendations from Microsoft are followed on the top of that all admins required to use supported devices and trusted locations therefore cloud admins required to be at trusted location to elevate the privilege but if they come from untrusted location they will be getting MFA prompts if MFA was satisfied then they will be blocked from accessing the site because the trusted location policy.
My issue is that admins lost MFA challenge as when they are regular users and they will never get MFA prompts, is this issue because they were excluded from All user policy? Should I include them in that policy or keep them excluded?

@mohammadalkhateeb 

Hello Mohammad,
So you have users who are regular, but they can elevate their permissions.
And when they are regular users with regular permissions they do not have MFA.
If the above is correct, so yes, you should include them in your "All user policy".

 

If you open the Conditional Access tab, there is a "What if" tool in the upper bar. Use it to test your users and review what policies are applied to them. More information here: What If tool 

I completely forgot the whatif tool, apologies.

Thanks a lot for the help, much appreciate it