Azure Active Directory activates MFA for elevated user accounts (admins)

You probably haven’t noticed anything (yet). But Microsoft has created a rule in Azure Active Directory Conditional Access called Baseline policy: Require MFA for admins (Preview). Read the Microsoft post here. I am a strong believer in security and that doesn’t change because we are currently using a cloud service like Office 365. Elevated accounts like admins should be using MFA. Microsoft supports that statement by implementing this new policy. The reason why you haven’t noticed anything yet, is because in the preview stage, Microsoft decided to opt you out unless you activate it in the policy. When it goes in to GA, it will be reversed to opting in unless you deactivate it.

Now what is going to be the impact? Easy, all types of admin will have to use MFA to get access to the Office 365 services. But what about scripts, service accounts, etc? The policy gives you the ability to opt out certain accounts, so I would create a group with all you admin users that you use for automation or service accounts.

Now, a lot of people are going to complain that this is going to effect their end-users. To those people I tell them this: Why do your end-users have admin accounts enabled? I strongly believe in a separation of duties and accounts. If there is a part of of my daily tasks that require me to have an elevated account, make sure I have an separate account that has those permissions. Elevating your permissions should be a conscious decision and if your account is always elevated it is not. The possibility of doing something wrong is too real when you don’t separate your accounts.

Make sure to investigate before it goes in GA