Restrict Global Admin MFA Methods

%3CLINGO-SUB%20id%3D%22lingo-sub-1704591%22%20slang%3D%22en-US%22%3ERestrict%20Global%20Admin%20MFA%20Methods%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1704591%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20it%20possible%20to%20change%20the%20mfa%20methods%20specifically%20for%20Global%20Admins%20that%20is%20different%20from%20the%20normal%20user%20base%3F%20What%20we%20are%20looking%20to%20do%20is%20the%20following%3A%3C%2FP%3E%3CP%3EUser%20base%20-%20Can%20register%20MFA%20by%20use%20of%20SMS%2C%20Phone%20Call%2C%20Mobile%20App%2C%20Software%2FHardware%20token%20(note%20I%20understand%20that%20sms%20is%20not%20a%20good%20thing%2C%20but%20at%20this%20point%20in%20time%20we%20are%20stuck%20where%20we%20are)%3C%2FP%3E%3CP%3EUsers%20with%20Global%20Admin%20-%20Must%20register%20and%20use%20Authenticator%20App%20as%20well%20as%20Hardware%20token%20to%20authenticate.%3C%2FP%3E%3CP%3EPlease%20let%20me%20know%20if%20it%20is%20even%20possible%20to%20do%20such%20a%20thing%20or%20any%20recommendations%20you%20may%20have.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1704591%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Active%20Directory%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMFA%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1707109%22%20slang%3D%22en-US%22%3ERe%3A%20Restrict%20Global%20Admin%20MFA%20Methods%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1707109%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F806102%22%20target%3D%22_blank%22%3E%40shannonhamby%3C%2FA%3E%26nbsp%3BHi%2C%20well%20for%20what%20it's%20worth%20this%20is%20the%20guidance%20for%20protecting%20your%20global%20administrator%20accounts%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fenterprise%2Fprotect-your-global-administrator-accounts%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fenterprise%2Fprotect-your-global-administrator-accounts%3Fview%3Do365-worldwide%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20to%20separate%20them%20using%20different%20secondary%20authentication%20methods%20I'm%20only%20aware%20of%20the%20authenticator%20app%20being%20the%20default%20and%20only%20option%20when%20using%20the%20built-in%20%22Security%20defaults%22%2C%20that%20is%20if%20you%20don't%20configure%20the%20MFA%20service%20settings%20so%20that%20when%20your%26nbsp%3B%3CSPAN%3Eusers%20enroll%20their%20accounts%20they%20choose%20their%20preferred%20verification%20method%20from%20the%20options%20that%20you%20have%20enabled%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fsv-se%2Fazure%2Factive-directory%2Fauthentication%2Fhowto-mfa-mfasettings%23enable-and-disable-verification-methods%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fsv-se%2Fazure%2Factive-directory%2Fauthentication%2Fhowto-mfa-mfasettings%23enable-and-disable-verification-methods%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20using%20legacy%20MFA%20it's%20per-user%20and%20best%20practice%20is%20y%3CSPAN%3Eou%20should%20be%20using%20either%20Security%20Defaults%20or%20Conditional%20Access%20policies%20to%20require%20MFA.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMFA%20support%20in%20Microsoft%20365%20(plans)%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fadmin%2Fsecurity-and-compliance%2Fmulti-factor-authentication-microsoft-365%3Fview%3Do365-worldwide%23mfa-support-in-microsoft-365%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fadmin%2Fsecurity-and-compliance%2Fmulti-factor-authentication-microsoft-365%3Fview%3Do365-worldwide%23mfa-support-in-microsoft-365%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EUsing%20these%20methods%20together%20(enabled%2Fdisabled)%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fadmin%2Fsecurity-and-compliance%2Fmulti-factor-authentication-microsoft-365%3Fview%3Do365-worldwide%23using-these-methods-together%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fadmin%2Fsecurity-and-compliance%2Fmulti-factor-authentication-microsoft-365%3Fview%3Do365-worldwide%23using-these-methods-together%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPerhaps%20not%20what%20you're%20looking%20for%20but%20hopefully%20getting%20you%20in%20the%20right%20direction.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1708099%22%20slang%3D%22en-US%22%3ERe%3A%20Restrict%20Global%20Admin%20MFA%20Methods%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1708099%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20you%20much%20for%20the%20information.%20Unfortunately%20we%20were%20hoping%20to%20have%20a%20separate%20registration%20policy%20for%20our%20global%20admins%2C%20but%20from%20what%20you%20had%20posted%20and%20everything%20else%20I%20have%20been%20looking%20at%20it%20does%20not%20appear%20that%20this%20is%20an%20option.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAgain%2C%20thank%20you%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F551905%22%20target%3D%22_blank%22%3E%40bec064%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1708260%22%20slang%3D%22en-US%22%3ERe%3A%20Restrict%20Global%20Admin%20MFA%20Methods%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1708260%22%20slang%3D%22en-US%22%3E%3CP%3EThere%20are%20relatively%20few%20administrative%20tasks%2C%20such%20as%20assigning%20roles%20to%20user%20accounts%2C%20that%20require%20global%20administrator%20privileges.%20Therefore%2C%20instead%20of%20using%20everyday%20user%20accounts%20that%20have%20been%20assigned%20the%20global%20admin%20role%2C%20do%20these%20steps%3A%3C%2FP%3E%3CP%3EDetermine%20the%20set%20of%20user%20accounts%20that%20have%20been%20assigned%20the%20global%20admin%20role.%20You%20can%20do%20this%20with%20the%20following%20Azure%20Active%20(Azure%20AD)%20Directory%20PowerShell%20for%20Graph%20command%3A%3CBR%20%2F%3EPowerShell%3C%2FP%3E%3CP%3ECopy%3CBR%20%2F%3EGet-AzureADDirectoryRole%20%7C%20where%20%7B%20%24_.DisplayName%20-eq%20%22Company%20Administrator%22%20%7D%20%7C%20Get-AzureADDirectoryRoleMember%20%7C%20Ft%20DisplayName%3CBR%20%2F%3ESign%20into%20your%20Microsoft%20365%20subscription%20with%20a%20user%20account%20that%20has%20been%20assigned%20the%20global%20admin%20role.%3C%2FP%3E%3CP%3ECreate%20up%20to%20a%20maximum%20of%20four%20dedicated%20global%20administrator%20user%20accounts.%20Use%20strong%20passwords%20at%20least%2012%20characters%20long.%20See%20Create%20a%20strong%20password%20for%20more%20information.%20Store%20the%20passwords%20for%20the%20new%20accounts%20in%20a%20secure%20location.%3C%2FP%3E%3CP%3EAssign%20the%20global%20admin%20role%20to%20each%20of%20the%20new%20dedicated%20global%20administrator%20user%20accounts.%3C%2FP%3E%3CP%3ESign%20out%20of%20Microsoft%20365.%3C%2FP%3E%3CP%3ESign%20in%20with%20one%20of%20the%20new%20dedicated%20global%20administrator%20user%20accounts.%3C%2FP%3E%3CP%3EFor%20each%20existing%20user%20account%20that%20had%20been%20assigned%20the%20global%20admin%20role%20from%20step%201%3A%3C%2FP%3E%3CP%3ERemove%20the%20global%20admin%20role.%3C%2FP%3E%3CP%3EAssign%20admin%20roles%20to%20the%20account%20that%20are%20appropriate%20to%20that%20user's%20job%20function%20and%20responsibility.%20For%20more%20information%20about%20various%20admin%20roles%20in%20Microsoft%20365%2C%20see%20About%20admin%20roles.%3C%2FP%3E%3CP%3ESign%20out%20of%20Microsoft%20365.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAdmin%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.apps4rent.com%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EApps4Rent%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1708362%22%20slang%3D%22en-US%22%3ERe%3A%20Restrict%20Global%20Admin%20MFA%20Methods%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1708362%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F806102%22%20target%3D%22_blank%22%3E%40shannonhamby%3C%2FA%3E%26nbsp%3BNo%20worries!%20You%20can%20certainly%20separate%20users%2Fgroups%20and%20admins%20using%20different%20policies%20but%20to%20force%20them%20using%20different%20verification%20options%20as%20set%20in%20the%20MFA%20settings%20I'm%20not%20aware%20of.%20As%20far%20as%20I%20know%20it's%20a%20%22tenant%20setting%22%20but%20then%20again%20I%20don't%20usually%20configure%20these%20settings.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20did%20notice%20an%20identical%20request%20in%20the%20Azure%20feedback%20forum%20though%20but%20no%20response%20from%20MS.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnyone%20know%20if%20this%20can%20be%20done%3F%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F616707%22%20target%3D%22_blank%22%3E%40PeterRising%3C%2FA%3E%26nbsp%3BThanks!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EEx.%3C%2FP%3E%3CP%3EGroup%20A%20-%20Call%20to%20phone%20(only)%3C%2FP%3E%3CP%3EGroup%20B%20-%20Text%20message%20to%20phone%20(only)%3C%2FP%3E%3CP%3EGroup%20C%20-%20Verification%20code%20from%20mobile%20app%20or%20hardware%20token%20(only)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22image.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F221814i6498FBDE5CAAA362%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22image.png%22%20alt%3D%22image.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1708892%22%20slang%3D%22en-US%22%3ERe%3A%20Restrict%20Global%20Admin%20MFA%20Methods%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1708892%22%20slang%3D%22en-US%22%3E%3CP%3ENot%20possible%20afaik%2C%20you%20can%20block%20specific%20options%20globally%2C%20or%20leave%20it%20to%20the%20users%20themselves.%20Perhaps%20in%20the%20future%20we%20will%20be%20able%20to%20scope%20this%20on%20a%20group%20basis%2C%20much%20like%20we%20can%20do%20for%20primary%2Fpasswordless%20auth%20today%20(%3CA%20href%3D%22https%3A%2F%2Fportal.azure.com%2F%23blade%2FMicrosoft_AAD_IAM%2FAuthenticationMethodsMenuBlade%2FAdminAuthMethods%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fportal.azure.com%2F%23blade%2FMicrosoft_AAD_IAM%2FAuthenticationMethodsMenuBlade%2FAdminAuthMethods%3C%2FA%3E)%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

Is it possible to change the mfa methods specifically for Global Admins that is different from the normal user base? What we are looking to do is the following:

User base - Can register MFA by use of SMS, Phone Call, Mobile App, Software/Hardware token (note I understand that sms is not a good thing, but at this point in time we are stuck where we are)

Users with Global Admin - Must register and use Authenticator App as well as Hardware token to authenticate.

Please let me know if it is even possible to do such a thing or any recommendations you may have.

9 Replies
Highlighted

@shannonhamby Hi, well for what it's worth this is the guidance for protecting your global administrator accounts https://docs.microsoft.com/en-us/microsoft-365/enterprise/protect-your-global-administrator-accounts...

 

As to separate them using different secondary authentication methods I'm only aware of the authenticator app being the default and only option when using the built-in "Security defaults", that is if you don't configure the MFA service settings so that when your users enroll their accounts they choose their preferred verification method from the options that you have enabled https://docs.microsoft.com/sv-se/azure/active-directory/authentication/howto-mfa-mfasettings#enable-...

 

When using legacy MFA it's per-user and best practice is you should be using either Security Defaults or Conditional Access policies to require MFA.

 

MFA support in Microsoft 365 (plans)
https://docs.microsoft.com/en-us/microsoft-365/admin/security-and-compliance/multi-factor-authentica... 

 

Using these methods together (enabled/disabled)
https://docs.microsoft.com/en-us/microsoft-365/admin/security-and-compliance/multi-factor-authentica... 

 

Perhaps not what you're looking for but hopefully getting you in the right direction.

Highlighted

Thank you much for the information. Unfortunately we were hoping to have a separate registration policy for our global admins, but from what you had posted and everything else I have been looking at it does not appear that this is an option.

 

Again, thank you @bec064 

Highlighted

There are relatively few administrative tasks, such as assigning roles to user accounts, that require global administrator privileges. Therefore, instead of using everyday user accounts that have been assigned the global admin role, do these steps:

Determine the set of user accounts that have been assigned the global admin role. You can do this with the following Azure Active (Azure AD) Directory PowerShell for Graph command:
PowerShell

Copy
Get-AzureADDirectoryRole | where { $_.DisplayName -eq "Company Administrator" } | Get-AzureADDirectoryRoleMember | Ft DisplayName
Sign into your Microsoft 365 subscription with a user account that has been assigned the global admin role.

Create up to a maximum of four dedicated global administrator user accounts. Use strong passwords at least 12 characters long. See Create a strong password for more information. Store the passwords for the new accounts in a secure location.

Assign the global admin role to each of the new dedicated global administrator user accounts.

Sign out of Microsoft 365.

Sign in with one of the new dedicated global administrator user accounts.

For each existing user account that had been assigned the global admin role from step 1:

Remove the global admin role.

Assign admin roles to the account that are appropriate to that user's job function and responsibility. For more information about various admin roles in Microsoft 365, see About admin roles.

Sign out of Microsoft 365.

 

Admin

Apps4Rent

Highlighted

@shannonhamby No worries! You can certainly separate users/groups and admins using different policies but to force them using different verification options as set in the MFA settings I'm not aware of. As far as I know it's a "tenant setting" but then again I don't usually configure these settings.

 

I did notice an identical request in the Azure feedback forum though but no response from MS.

 

Anyone know if this can be done? @Vasil Michev @PeterRising Thanks!

 

Ex.

Group A - Call to phone (only)

Group B - Text message to phone (only)

Group C - Verification code from mobile app or hardware token (only)

 

image.png

Highlighted

Not possible afaik, you can block specific options globally, or leave it to the users themselves. Perhaps in the future we will be able to scope this on a group basis, much like we can do for primary/passwordless auth today (https://portal.azure.com/#blade/Microsoft_AAD_IAM/AuthenticationMethodsMenuBlade/AdminAuthMethods)

Highlighted
Appreciate the reply, thanks!
Highlighted

@Vasil Michev is correct.  Not possible at the moment. 

 

If you have concerns over the security of your privileged admin accounts though, you could look at minimising the risk by setting up Privileged Identity Management and making some of these accounts eligible for these roles instead of having them permanently.  This is an Azure AD Premium P2 feature, but well worth it if you can justify it.  

 

The P2 licence will also give you Identity protection which enables risk based conditional access based on user and sign in risk.  Not what you were asking for I appreciate, but it may offer an alternative means of protecting your environment and reducing the number of privileged accounts,

 

Highlighted
Thanks to you as well! Good to know my reply to Shannon was correct. Cheers mate!
Highlighted

Just wanted to thank everyone for the responses. I also wanted to mention that after doing some further research there actually is only one solution to using the separate MFA policies and that is with 3rd party IDP with Duo Security. If you have this need I suggest checking out the link below. This solution adds another MFA policy by use of conditional access.

 

https://duo.com/docs/azure-ca