Enable Multi Factor Authentication by Default – For Azure and Office 365
A new baseline of security policy for Microsoft Office 365 Azure Active Directory is rolled out. It requires the users to enable multi factor authentication for all the privileged accounts. Currently, the public preview is availed for the policy, which means that it is shown in different tenants but, not yet activated.
The baseline of security policy requires multi factor authentication for Office 365 and Azure accounts, which exists as a member of any one of the below-enlisted privileged roles :
- Global administrator
- Share Point administrator
- Conditional access administrator
- Security Administrator
- Exchange Administrator
Tip to View Policy – Navigate towards the Conditional Access section for viewing the policy in Azure AD portal.
The security baseline policy is carried out in form of conditional access policy. No customization feature is available except the removal of users and groups. Azure AD Premium licenses are required for completely customizing conditional access rules with the availability of security baseline policy for all customers. An exclusive option can be used for eliminating at least one global administrator account from all policies of conditional access. Microsoft team suggests this because this gives an alternative to having a login method even if you unwillingly locked yourself out of all administrator portals. Imagine Microsoft Azure multi factor authentication feature like a broken glass in the emergency case in an account. A strong password should be there in a tenant, which needs to be kept in a secure place. The password must be the one that is not used regularly in administrative tasks.
At some places, new security baseline policy describes to enable multi factor authentication as mandatory for customers admin account. But, this is not at all true. Choose Do not use policy option to remove this policy before it gets live. After this, set exclusion as mentioned earlier. Besides all this, you should try for minimizing the exclusions that are added in the policy. Microsoft suggests the same if switching to service principles with certificates or MSI (Managed Service Identity) take place.
The policy’s nature gives assurance that tenants are updated to the privileged role (either through privileges identity management or manually). This enforces azure ad Office 365 authentication on them, decreasing the risk during the time duration they access privileged mode. This sought of activity is quite similar to the current edition of conditional access, which allows policies to be aimed at the directory roles. Such capability explores over a wider directory roles range rather than the 5, which are targeted by baseline security policy. That is why the policy mentions multi factor authentication for Office 365 and Azure accounts as compulsions.
Conclusion
It is quite a profitable decision to work with Office 365 and Azure AD. This pushes clients towards the security of privileged accounts. A survey concluded that 55% of respondents were not making use of MFA including the admin tenants. However, administrator accounts should enable multi factor authentication as a first security step of their tenant.
