That capability extends to a wider range of directory roles than the five that are targeted by the baseline security policy. This is similar to another recent addition to conditional access allowing policies to be targeted at directory roles. The nature of the policy also ensures that accounts that are temporarily elevated to a privileged role (either manually or via privileged identity management) have MFA enforced on them, reducing the risk of compromise during the period of time they hold privileged access. Microsoft recommends if possible switching to Managed Service Identity (MSI) or service principals with certificates.
Aside from the emergency access account you should aim to minimize the exclusions that you add to the policy. You can opt-out of the policy before it goes live by choosing Do not use policy, and you can set exclusions as I just mentioned a moment ago. The new baseline security policy has been reported elsewhere as “mandatory” or as Microsoft “forcing” multi-factor authentication on customers’ administrative accounts. The account should have a strong password that is stored in a secure location, and is not regularly used for day to day administration tasks. Think of it as a “ break glass in case of emergency” account. Microsoft recommends doing so to ensure that you still have a way to log in if you inadvertently lock yourself out of all admin portals. You can use the exclusion option to exclude at least one global administrator account from all conditional access policies. Conditional access rules that you can fully customize require Azure AD Premium licenses, whereas the baseline security policy is available to all customers.
You can view the policy in the Azure AD portal by navigating to the Conditional access section.Īlthough the baseline security policy is implemented as a conditional access policy there is no customization available except for excluding users and groups. The baseline security policy will require multi-factor authentication for accounts that are members of one of the following privileged roles: The policy is in public preview right now, meaning it is visible in tenants but not yet enabled. Microsoft is rolling out a new baseline security policy for Azure Active Directory and Office 365 that requires multi-factor authentication for privileged accounts.
0 kommentar(er)
