Conditional Access MFA for Admin Policy

Anonymous
2022-11-21T22:47:02.103+00:00

I have 2 Global AAD accounts, for the sake of this exercise call them Account1 and Account 2.

  • Account1 is my main Global Admin work account.
  • Account2 is my Break Glass account.
  • I have MFA set up on Account1, but don't have MFA set up on Account 2.

I have set up Conditional Access Policy for account Assignments:

  • Account1 Included
  • Account 2 Excluded

I then set Grant Access to MFA.

Now my expectation is MFA will be asked for when SSO with Account1, but with Account2, SSO will just ask for the password and not follow up with MFA.

Is this correct?

I haven't yet tested it out as yet, because I am 'leery' that I might lock myself out of all Global Admin Accounts.

To ere on the safe side, I have added a third Global Admin Account3

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,613 questions
0 comments No comments
{count} votes

Accepted answer
  1. Sandeep G-MSFT 16,691 Reputation points Microsoft Employee
    2022-11-22T08:42:36.723+00:00

    @Anonymous

    I would recommend all users including global admins in your tenant to register for MFA even though they are not prompted for MFA. This will ensure that you are not blocked to access the Azure AD portal even if MFA is enforced through conditional access policy.

    In your scenario there are 2 accounts. If you want to MFA to be prompted only for account 1.
    In this scenario while configuring MFA, you can include only the user accounts to whom MFA needs to be prompted.

    If you have multiple groups of accounts and if you want to exclude only one account from the group, then you can use the exclude option which configuring conditional access policy.

    After creating the policy, you can use whatif tool to confirm what all policies are getting applied to specific account.
    Refer below article to know more about what if tool,
    https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/troubleshoot-conditional-access-what-if

    This way you can create a policy and run what if tool against one admin account and confirm regarding MFA prompt.

    Do let me know if you have any further questions on this

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


2 additional answers

Sort by: Most helpful
  1. Dillon Silzer 56,601 Reputation points
    2022-11-22T04:16:48.813+00:00

    Hi @Anonymous

    If you exclude Account2 from a Conditional Access Policy then it will not be affected by the change. From my understanding you are trying to force MFA to all accounts (Account1 included, but Account2 excluded). If you follow proper procedures for excluding Account2 you will be set.

    It even states in the documentation to exclude one Administrator account so you don't lock yourself out:

    262798-image.png

    https://learn.microsoft.com/en-us/azure/active-directory/governance/conditional-access-exclusion#create-a-conditional-access-policy-that-excludes-the-group

    ----------------------------------

    If this is helpful please accept answer.

    0 comments No comments

  2. Anonymous
    2022-11-25T15:18:05.64+00:00

    Will do and many thanks for your support.

    0 comments No comments