(94) Microsoft Entra - Require MFA for Microsoft Admin Portals

Recently Microsoft released a new form of Conditional Access (CA) policies, this CA policy requires users to use MFA when accessing admin portals.

Current CA Policy: https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-admin-mfa

• Global Administrator

• Application Administrator

• Authentication Administrator

• Billing Administrator

• Cloud Application Administrator

• Conditional Access Administrator

• Exchange Administrator

• Helpdesk Administrator

• Password Administrator

• Privileged Authentication Administrator

• Privileged Role Administrator

• Security Administrator

• SharePoint Administrator

• User Administrator

Updated CA Policy:

The new CA policy requires everyone to use MFA when entering one of the admin portals, no matter what type of roles your identity has. Although the new CA policy has some limitations in terms of admin portals.

• Not included: Microsoft SharePoint admin center Microsoft Teams admin center
  

• Included: Microsoft Azure portal Microsoft Exchange admin center Microsoft Entra admin center Microsoft Purview portal Microsoft 365 admin center Microsoft Intune admin center Microsoft 365 Defender portal

Instructions:

Navigate to https://entra.microsoft.com then select Protection then select Conditional Access Policies then select New policy from template.

Then select Protect administrator tab then select Require multifactor authentication for Microsoft admin portals. Select Review + create.

Select the CA policy, select specific users and ensure the breakglass account is excluded.

Target resources is set to Microsoft Admin Portals.

Update Session controls with Sign-in frequency with a Periodic reauthentication of 4 hours.

Once happy with the results, turn on the policy.