Microsoft is set to introduce Conditional Access policies that will require administrators to use multifactor authentication (MFA) when signing into Microsoft admin portals including Microsoft Entra, Microsoft 365, Exchange, and Azure.
In addition, the company will implement policies that mandate MFA for per-user MFA users for all cloud apps and for high-risk sign-ins (available only to Microsoft Entra ID Premium Plan 2 customers).
These Microsoft-managed policies, created by Microsoft on customers’ tenants, will be gradually added in report-only mode to eligible Microsoft Entra tenants starting next week. Administrators will then have 90 days to review and decide whether to enable them or not.
Conditional Access policies will be automatically enabled on tenants where they weren’t disabled within 90 days after the rollout.
“The first policy is highly recommended and will be deployed on your behalf to ensure multifactor authentication protects all user access to admin portals such as https://portal.azure.com, Microsoft 365 admin center, and Exchange admin center,” said Microsoft Vice President for Identity Security Alex Weinert.
“While you can opt out of these policies, Microsoft teams will increasingly require MFA for specific interactions, as they already do for certain Azure subscription management scenarios, Partner Center, and Microsoft Intune device enrollment.”
Administrators with at least the Conditional Access Administrator role can find these policies in the Microsoft Entra admin center under Protection > Conditional Access > Policies.
They can also modify the state (On, Off, or Report-only) for all Microsoft-managed policies, as well as excluded identities (Users, Groups, and Roles) within the policy.
Organizations are advised to exclude emergency access or break-glass accounts from these policies, similar to other Conditional Access policies.
Microsoft also allows the option to modify these policies further by cloning them and tailoring them like any other Conditional Access policy, starting with Microsoft-recommended defaults.
“Our ultimate goal is 100 percent multifactor authentication. Given that formal studies show multifactor authentication reduces the risk of account takeover by over 99 percent, every user who authenticates should do so with modern strong authentication,” Weinert said.
“We aim to combine machine learning-based policy insights and recommendations with automated policy rollout to strengthen your security posture on your behalf with the right controls.”
