New Conditional Access Policy “Require MFA for admins (Preview)” will be enabled in the future.

“Baseline policy: Require MFA for admins (Preview)” the basics.

There is a new Policy in Azure AD “Require MFA for admins (Preview)”. It is a policy in preview status that is enabled by Microsoft unless you set it yourself on turn off. The Policy is not yet active. It will not be long before Microsoft enables it though.
In any case, we have already started testing and have the policy enabled at various customers.
The policy will force MFA for accounts with one of the following roles:

  • Global Administrators
  • SharePoint Administrators
  • Exchange Administrators
  • Conditional Access Administrators
  • Security Administrators

It is wise to look at this before Microsoft enables the Policy for you.

If MFA is forced on accounts that are used within scripts or other functions, they can no longer log on because they receive a MFA pop-up. There is an exclude list for these type of things though, but then how do you find so quickly which accounts should all be on the exclude list? You can go through all accounts, but that is an agony.

For more about “Baseline policy: Require MFA for admins (Preview)” go to the Microsoft blog post.


How can we automate this?

We have scripted to see who has one of these roles in Office 365. Below I have shared the script.

The ‘conditions’ for the script are that you have installed the office365 PowerShell module and you have already logged in to Office 365 via PowerShell (Connect-Msolservice).

You can find the module here.

If you have just installed the module you can log in using this:

Connect-MsolService

The complete script including login:

$roles = "Company Administrator", "SharePoint Service Administrator", "Exchange Service Administrator", "Security Administrator", "Conditional access administrator"

foreach ($role in $roles)

{

    $r = Get-MsolRole -RoleName $role

    write-output $role

    Get-MsolRoleMember -RoleObjectId $r.objectid

}

The script shows a list of users who have one of these roles. You could export this to a .csv file.


Can’t we just turn off the Policy “Require MFA for admins (Preview)”?

In addition, I would like to say that it is best to force MFA for system administrators and thus to enable the policy. As you can read from Microsoft’s blog post “In the last year, identity attacks have increased by 300%.”  That is a lot..considering it’s your business environment.

So, make sure that your Service accounts are on the exclude list, but that for the rest of the system management accounts MFA is forced.


A little extra

This post contains PowerShell. Would you like to learn the basics better? I have created a new website to learn basic PowerShell in an ’emulator’ environment.
Click here to go learn Basic PowerShell.

Published by

Bas Wijdenes

My name is Bas Wijdenes and I work full-time as a Services Engineer. In my spare time I write about the error messages that I encounter during my work. Furthermore, I am currently occupied with Office 365, Azure infrastructure, and PowerShell for automating daily tasks.

Leave a Reply

Your email address will not be published. Required fields are marked *