Forum Discussion
MFA admin policy and user policy
Hello Mohammad,
Conditional Access policies can be built based on users (Gues, Internal, External), workstations (OS version, OS type, Compliance, Azure join), and identities (Service accounts, resource identities). It makes sense to create more strict rules for your administrative accounts and even disallow them to access company resources from Not compliant and/or Azure registered devices.
It depends on your requirements.
How do you administrators elevate their permissions? Do they use PIM (Privileged Identity Management)? If yes, please check this: Multifactor authentication and Privileged Identity Management
- Hello,
Administrators already use PIM and all recommendations from Microsoft are followed on the top of that all admins required to use supported devices and trusted locations therefore cloud admins required to be at trusted location to elevate the privilege but if they come from untrusted location they will be getting MFA prompts if MFA was satisfied then they will be blocked from accessing the site because the trusted location policy.
My issue is that admins lost MFA challenge as when they are regular users and they will never get MFA prompts, is this issue because they were excluded from All user policy? Should I include them in that policy or keep them excluded?Hello Mohammad,
So you have users who are regular, but they can elevate their permissions.
And when they are regular users with regular permissions they do not have MFA.
If the above is correct, so yes, you should include them in your "All user policy".If you open the Conditional Access tab, there is a "What if" tool in the upper bar. Use it to test your users and review what policies are applied to them. More information here: What If tool
- I completely forgot the whatif tool, apologies.
Thanks a lot for the help, much appreciate it
