September 19, 2020

outage at Microsoft that stops MFA working etc.)

Authentication Azure Active Directory Azure AD AzureAD conditional access Baseline Policy Replacements: Conditional Access MFA for Administrators.
By.
January 2, 2020.

No Comments on Baseline Policy Replacements: Conditional Access MFA for Administrators

From Feb 29th 2020 Microsoft will remove the “baseline policies” from Azure AD

These were very useful in the past to enable blanket settings like MFA for all admin accounts (well, selected admin roles) and to disable legacy auth for the same admin roles.
With the removal of the baseline policies you need to ensure that before Feb 29th 2020 you have a replacement policy/policies in place.
If you are reading this blog post after that date these steps will help you implement MFA for admin roles without using the Microsoft Security Defaults.
The Security Defaults are great for tenants without Azure AD P1 or higher licences (including Enterprise Mobility + Security E3/E5 licences) as they turn all this security on for you.
If you have Azure AD P1 or higher licences (including Enterprise Mobility + Security E3/E5 licences) then you can use Conditional Access instead.
These steps below will implement a rule to allow selected admin roles to login only if they perform MFA successfully and to block legacy authentication for the same roles.
The configuration below will also include a break glass account so that you always have a way to bypass this security should the need arise (loss of auth code generator device, outage at Microsoft that stops MFA working etc.).
1.
Create Conditional Access Policy to force MFA for admin roles Create a new policy called “Protect All Administrators – Require MFA for All Logins” and set the following options .

Users and Groups > Directory Roles > select all roles relevant to your organization

Suggest selecting all those that end “Administrator” as a minimum and maybe include Global Reader as well.
Users and Groups > Exclude tab > Exclude the group that contains your AADConnect sync account and you break glass accounts.
If you have not done this yet, go and do it and then come back here.
As a minimum exclude your account for now.

Cloud apps or actions > All Cloud Apps

Conditions > Client Apps > deselect “Other Clients” to remove clients that only do legacy authentication.

Grant > Require multi-factor authentication

Report Only – this is to make sure that we do not lock ourselves out by getting this wrong – we change it to “On” later once we know it is working.
2.
Create a policy to block legacy authentication clients from doing administrative actions Create a second policy called “Protect All Administrators – Block Legacy Authentication” and set the following options:.
Users and Groups > Directory Roles > select all roles relevant to your organization.
This list will need to be identical to the above list.

And when in future you edit the above list because Microsoft add new administrative roles

you need to match those changes to this policy list as well.
Users and Groups > Exclude tab > Exclude the group that contains your break glass accounts.
Cloud apps or actions > All Cloud Apps.
Conditions > Client Apps > deselect all options except for “Other Clients” to remove clients that do modern authentication (therefore deselect browser and modern clients).
Grant > Block Access.
Report Only – this is to make sure that we do not lock ourselves out by getting this wrong – we change it to “On” later once we know it is working.
3.
Future changes As mentioned above.

When Microsoft release new administrative roles

you you add the first person to a new role you have not used before, come and edit both of these policies to include that administrative role.
Once you are sure that the policy is working (by reviewing the Conditional Access reports) change the policies to “On” instead of “Report Only”.
← Impact of Removing SMS As an MFA Method In Azure AD → Blocking Apps With a Low Reputation Leave a Reply Cancel reply.
Your email address will not be published.
Required fields are marked Comment Name Email Website This site uses Akismet to reduce spam.
Learn how your comment data is processed.
Select Category 2003 2004 2007 2008 2008 R2 2010 2012 2012 R2 2013 2016 2019 2FA 64 bit AADConnect aadrm AADSync access acdc active directory activesync add-in ADDS ADFS ADFS 2.0 ADFS 3.0 ADFS Connector AdminSDHolder adsiedit Advanced Threat Protection agent AIP android antivirus anycast app password Application Guard archive asterisk asterisknow ATP Authentication autodiscover autodiscover v2 az Azure Azure Active Directory Azure AD Azure Information Protection AzureAD backup baseline bing bios booking bpos branding cafe calendar certificates Chrome citrix Click To Run Click2Run cloud Cloud PBX Clutter cmak compliance conditional access conversation crm cross-forest cyber bullying dell Deployment device device registration dirsync dkim DLP dmarc DNS domain door download draytek DSC duplicate dynamic delivery Dynamics EAS ebs 2008 Edge EM+S email encryption Endpoint Manager enterprise mobility + security Entourage EOP    Exchange Online Protection error EWS exchange exchange online Exchange Server EXO ExpressRoute federation FIDO firewall Focused Inbox FOPE Free/Busy GeoDNS Global Catalog GPO Group Policy groups hosting hotfix https hybrid hyper-v IAmMEC IFilter iis illustration install Intune iOS ip iPad iPhone ipsec ipv4 ipv6 iQ.
Suite IRM isa ISA Server 2004 ISA Server 2006 JetNexus journal journaling Kemp kerberos lab licence Live Event load balancer Load Master loadbalancer logo Lync Server mailbox malware management mcafee mcas mcm mcsm mdatp MDM media player MFA microsoft Microsoft 365 Microsoft Cloud App Security Microsoft Defender Advanced Threat Protection Microsoft Teams migration Mobile Device Management mobile phones modern authentication monthly channel move msExchDelegateListBL msExchDelegateListLink MSOL multi-factor auth Multi-Factor Authentication MVP MX ndr Netscaler networking NTL OAuth OD4B ODFB off offensive Office Office 365 Office 365 Advanced Threat Protection Office 365 Groups Office 365 ProPlus oledb OneDrive OneDrive For Business openmanage orange organization relationships osma Outlook owa OWA for Devices password paxton pbx permissions PFDAVAdmin phish phishing phone factor pkcs pki places policy powershell pptp preview Proof Of Concept proxy pst PSTN PSTN Conferencing Public Folders recovery remote desktop remote web workplace retention retention policies rms room router rras rtp rules rww Safe Attachments Safe Documents Safe Links Salesforce sbs 2008 SCOM sdk search security Security and Compliance Center self-service password reset semi-annual channel send-on-behalf server administrator server core shared mailbox sharepoint sip Skype For Business Online Skype for Business Server smarthost smartphone sms smtp spam spf spoof spv SQL sql express SSL SSO sspr sstp starttls storage card Stream supervision sync error sysprep Teams TechEd terminal server Terminal Services text message Threat Management TLS tmg token2 transport transport agent ts gateway Uncategorized unif unified messaging update upgrade vc++ vhd virtual pc virtual server virtualisation vista visual studio vm VNet Voicemai voicemail.

Leave a Reply

Your email address will not be published. Required fields are marked *