title | description | ms.service | ms.subservice | ms.topic | ms.date | ms.author | author | manager | ms.reviewer |
---|---|---|---|---|---|---|---|---|---|
Require MFA for Azure management with Conditional Access |
Create a custom Conditional Access policy to require multifactor authentication for Azure management tasks |
entra-id |
conditional-access |
how-to |
07/18/2023 |
joflore |
MicrosoftGuyJFlo |
amycolannino |
calebb, lhuangnorth |
Organizations use many Azure services and manage them from Azure Resource Manager based tools like:
- Azure portal
- Azure PowerShell
- Azure CLI
These tools can provide highly privileged access to resources that can make the following changes:
- Alter subscription-wide configurations
- Service settings
- Subscription billing
To protect these privileged resources, Microsoft recommends requiring multifactor authentication for any user accessing these resources. In Microsoft Entra ID, these tools are grouped together in a suite called Windows Azure Service Management API. For Azure Government, this suite should be the Azure Government Cloud Management API app.
[!INCLUDE active-directory-policy-exclusions]
[!INCLUDE active-directory-policy-deploy-template]
The following steps will help create a Conditional Access policy to require users who access the Windows Azure Service Management API suite do multifactor authentication.
Caution
Make sure you understand how Conditional Access works before setting up a policy to manage access to Windows Azure Service Management API. Make sure you don't create conditions that could block your own access to the portal.
- Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.
- Browse to Protection > Conditional Access.
- Select Create new policy.
- Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
- Under Assignments, select Users or workload identities.
- Under Include, select All users.
- Under Exclude, select Users and groups and choose your organization's emergency access or break-glass accounts.
- Under Target resources > Cloud apps > Include > Select apps, choose Windows Azure Service Management API, and select Select.
- Under Access controls > Grant, select Grant access, Require multifactor authentication, and select Select.
- Confirm your settings and set Enable policy to Report-only.
- Select Create to create to enable your policy.
After administrators confirm the settings using report-only mode, they can move the Enable policy toggle from Report-only to On.
Use report-only mode for Conditional Access to determine the results of new policy decisions.