Baseline Policy Replacements: Conditional Access MFA for Administrators

Posted on Posted in Authentication, Azure Active Directory, Azure AD, AzureAD, conditional access

From Feb 29th 2020 Microsoft will remove the “baseline policies” from Azure AD. These were very useful in the past to enable blanket settings like MFA for all admin accounts (well, selected admin roles) and to disable legacy auth for the same admin roles.

With the removal of the baseline policies you need to ensure that before Feb 29th 2020 you have a replacement policy/policies in place. If you are reading this blog post after that date these steps will help you implement MFA for admin roles without using the Microsoft Security Defaults.

The Security Defaults are great for tenants without Azure AD P1 or higher licences (including Enterprise Mobility + Security E3/E5 licences) as they turn all this security on for you. If you have Azure AD P1 or higher licences (including Enterprise Mobility + Security E3/E5 licences) then you can use Conditional Access instead.

These steps below will implement a rule to allow selected admin roles to login only if they perform MFA successfully and to block legacy authentication for the same roles. The configuration below will also include a break glass account so that you always have a way to bypass this security should the need arise (loss of auth code generator device, outage at Microsoft that stops MFA working etc.).

1. Create Conditional Access Policy to force MFA for admin roles

Create a new policy called “Protect All Administrators – Require MFA for All Logins” and set the following options

  • Users and Groups > Directory Roles > select all roles relevant to your organization. Suggest selecting all those that end “Administrator” as a minimum and maybe include Global Reader as well.
  • Users and Groups > Exclude tab > Exclude the group that contains your break glass accounts. If you have not done this yet, go and do it and then come back here. As a minimum exclude your account for now.
  • Cloud apps or actions > All Cloud Apps
  • Conditions > Client Apps > deselect “Other Clients” to remove clients that only do legacy authentication
  • Grant > Require multi-factor authentication
  • Report Only – this is to make sure that we do not lock ourselves out by getting this wrong – we change it to “On” later once we know it is working

2. Create a policy to block legacy authentication clients from doing administrative actions

Create a second policy called “Protect All Administrators – Block Legacy Authentication” and set the following options:

    • Users and Groups > Directory Roles > select all roles relevant to your
      organization.This list will need to be identical to the above list, and when in future you edit the above list because Microsoft add new administrative roles, you need to match those changes to this policy list as well.
    • Users and Groups > Exclude tab > Exclude the group that contains your
      break glass accounts.
    • Cloud apps or actions > All Cloud Apps
    • Conditions > Client Apps > deselect all options except for “Other Clients” to remove clients
      that do modern authentication (therefore deselect browser and modern clients).
    • Grant > Block Access
    • Report Only – this is to make sure that we do not lock ourselves out by
      getting this wrong – we change it to “On” later once we know it is working

3. Future changes

As mentioned above, when Microsoft release new administrative roles, you you add the first person to a new role you have not used before, come and edit both of these policies to include that administrative role.

Once you are sure that the policy is working (by reviewing the Conditional Access reports) change the policies to “On” instead of “Report Only”.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.