May 08 2022 09:41 PM
May 08 2022 09:41 PM
I have a question about MFA all user policy and admin roles policy.
I am actually not sure what is the best way to configure those policies, should I create all user policy with the inclusion of all users and exclusion of directory roles and the admin policy for directory roles and exclude all users?
will users with AAD roles get MFA prompts if they did not elevate their privileges or what, while they have been excluded from the all users policy?
I tried it and tested it using two accounts, one with directory role and the other is just regular account with no roles assigned to.
the regular account gets MFA prompts every time they sign in to O365 apps, but the user with permission (Global admin) gets nothing before elevate the privilege and after, even when I try to resign in.
Shouldn’t I exclude the directory roles from the all users policy and what is the best way to configure this?
May 09 2022 04:51 AM
Conditional Access policies can be built based on users (Gues, Internal, External), workstations (OS version, OS type, Compliance, Azure join), and identities (Service accounts, resource identities). It makes sense to create more strict rules for your administrative accounts and even disallow them to access company resources from Not compliant and/or Azure registered devices.
It depends on your requirements.
How do you administrators elevate their permissions? Do they use PIM (Privileged Identity Management)? If yes, please check this: Multifactor authentication and Privileged Identity Management
May 09 2022 07:43 AM
May 09 2022 08:19 AM
So you have users who are regular, but they can elevate their permissions.
And when they are regular users with regular permissions they do not have MFA.
If the above is correct, so yes, you should include them in your "All user policy".
If you open the Conditional Access tab, there is a "What if" tool in the upper bar. Use it to test your users and review what policies are applied to them. More information here: What If tool