Forum Discussion
MFA admin policy and user policy
Hello there, I have a question about MFA all user policy and admin roles policy. I am actually not sure what is the best way to configure those policies, should I create all user policy with t...
Hello,
Administrators already use PIM and all recommendations from Microsoft are followed on the top of that all admins required to use supported devices and trusted locations therefore cloud admins required to be at trusted location to elevate the privilege but if they come from untrusted location they will be getting MFA prompts if MFA was satisfied then they will be blocked from accessing the site because the trusted location policy.
My issue is that admins lost MFA challenge as when they are regular users and they will never get MFA prompts, is this issue because they were excluded from All user policy? Should I include them in that policy or keep them excluded?
Administrators already use PIM and all recommendations from Microsoft are followed on the top of that all admins required to use supported devices and trusted locations therefore cloud admins required to be at trusted location to elevate the privilege but if they come from untrusted location they will be getting MFA prompts if MFA was satisfied then they will be blocked from accessing the site because the trusted location policy.
My issue is that admins lost MFA challenge as when they are regular users and they will never get MFA prompts, is this issue because they were excluded from All user policy? Should I include them in that policy or keep them excluded?
Hello Mohammad,
So you have users who are regular, but they can elevate their permissions.
And when they are regular users with regular permissions they do not have MFA.
If the above is correct, so yes, you should include them in your "All user policy".
If you open the Conditional Access tab, there is a "What if" tool in the upper bar. Use it to test your users and review what policies are applied to them. More information here: What If tool
- I completely forgot the whatif tool, apologies.
Thanks a lot for the help, much appreciate it
