Skip to content

Latest commit

 

History

History
60 lines (48 loc) · 3.2 KB

how-to-policy-mfa-admin-portals.md

File metadata and controls

60 lines (48 loc) · 3.2 KB
Raw
title description ms.service ms.subservice ms.topic ms.date ms.author author manager ms.reviewer
Require multifactor authentication for Microsoft admin portals
Create a Conditional Access policy requiring multifactor authentication for admins accessing Microsoft admin portals.
entra-id
conditional-access
how-to
07/18/2023
joflore
MicrosoftGuyJFlo
amycolannino
lhuangnorth

Common Conditional Access policy: Require multifactor authentication for admins accessing Microsoft admin portals

Microsoft recommends securing access to any Microsoft admin portals like Microsoft Entra, Microsoft 365, Exchange, and Azure. Using the Microsoft Admin Portals app organizations can control interactive access to Microsoft admin portals.

User exclusions

[!INCLUDE active-directory-policy-exclusions]

Create a Conditional Access policy

  1. Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.
  2. Browse to Protection > Conditional Access.
  3. Select Create new policy.
  4. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
  5. Under Assignments, select Users or workload identities.

    1. Under Include, select Directory roles and choose built-in roles like:

      • Global Administrator
      • Application Administrator
      • Authentication Administrator
      • Billing Administrator
      • Cloud Application Administrator
      • Conditional Access Administrator
      • Exchange Administrator
      • Helpdesk Administrator
      • Password Administrator
      • Privileged Authentication Administrator
      • Privileged Role Administrator
      • Security Administrator
      • SharePoint Administrator
      • User Administrator

      [!WARNING] Conditional Access policies support built-in roles. Conditional Access policies are not enforced for other role types including administrative unit-scoped or custom roles.

    2. Under Exclude, select Users and groups and choose your organization's emergency access or break-glass accounts.

  6. Under Target resources > Cloud apps > Include, Select apps, select Microsoft Admin Portals.
  7. Under Access controls > Grant, select Grant access, Require authentication strength, select Multifactor authentication, then select Select.
  8. Confirm your settings and set Enable policy to Report-only.
  9. Select Create to create to enable your policy.

After administrators confirm the settings using report-only mode, they can move the Enable policy toggle from Report-only to On.

Related content