Create Policy for MFA non-compliance - Require MFA for administrative roles

%3CLINGO-SUB%20id%3D%22lingo-sub-1674675%22%20slang%3D%22en-US%22%3ECreate%20Policy%20for%20MFA%20non-compliance%20-%20Require%20MFA%20for%20administrative%20roles%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1674675%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20using%20AATP%20and%20when%20we%20review%20our%20Secure%20Score(security.microsoft.com)%20one%20of%20the%20action%20items%20is%20to%20%22Require%20MFA%20for%20administrative%20roles%22.%26nbsp%3B%20We%20have%20setup%20MFA%20but%20not%20sure%20what%20this%20is%20coming%20up%20as%20an%20%22Improvement%20action%22.%3C%2FP%3E%3CP%3EI%20wanted%20to%20create%20a%20Policy%20within%20Cloud%20app%20so%20I%20could%20be%20alerted%20whenever%20there%20is%20a%20user%20that%20has%20an%20admin%20role%20but%20not%20required%20to%20utilize%20MFA.%26nbsp%3B%20Is%20that%20possible%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESerge%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1680023%22%20slang%3D%22en-US%22%3ERe%3A%20Create%20Policy%20for%20MFA%20non-compliance%20-%20Require%20MFA%20for%20administrative%20roles%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1680023%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F616520%22%20target%3D%22_blank%22%3E%40SergioT1228%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi%2C%20this%20is%20not%20something%20you%20configure%20using%20ATP.%26nbsp%3B%20Instead%2C%20you%20need%20to%20look%20at%20Azure%20AD%20Conditional%20Access.%20You%20can%20enforce%20MFA%20based%20on%20roles.%26nbsp%3B%20Just%20be%20careful%20not%20to%20lock%20yourself%20out%20of%20your%20tenant%2Cand%20exclude%20your%20permanent%20break%20glass%20accounts.%26nbsp%3B%20%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20can%20read%20more%20about%20CA%20here%20-%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Foverview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Foverview%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

We are using AATP and when we review our Secure Score(security.microsoft.com) one of the action items is to "Require MFA for administrative roles".  We have setup MFA but not sure what this is coming up as an "Improvement action".

I wanted to create a Policy within Cloud app so I could be alerted whenever there is a user that has an admin role but not required to utilize MFA.  Is that possible?

 

Thanks,

 

Serge

1 Reply
Highlighted

@SergioT1228 

 

Hi, this is not something you configure using ATP.  Instead, you need to look at Azure AD Conditional Access. You can enforce MFA based on roles.  Just be careful not to lock yourself out of your tenant,and exclude your permanent break glass accounts.    

 

You can read more about CA here - https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview