Conditional Access Policies Getting Activated Next Month for Microsoft 365 Tenancies
Microsoft this month gave renewed notice that it is soon plans to activate Microsoft Entra ID Conditional Access policies that it set in November for certain Microsoft 365 licensees.
The policy activations, which add multifactor authentications for things like admin portals, per-user cloud app licensees and licensees deemed to be at high risk, will start getting activated in February and March, Microsoft advised. IT pros will need to review these policies beforehand, and turn them off or alter them, if needed, before Microsoft's planned rollouts.
The Conditional Access policies are already in place for Microsoft 365 E3 and E5 licensees, as well as Microsoft 365 Business Premium users, who are eligible to use Microsoft Entra ID P1/P2 solutions, Microsoft's notice explained. However, the policies are currently enabled in "report-only mode," which is a nonactivated state that will just describe the effects if the policy were to be activated. In February and March, Microsoft intends to turn on those policies for real.
The delivery of these Conditional Access policies by Microsoft had been explained back in November by Alex Weinert, vice president of identity security. The idea was to get organizations using multifactor authentication, which Microsoft sees as a highly effective deterrent to phishing attacks. This approach of delivering multifactor authentication was successful with consumer Microsoft accounts, with account hacks decreased by "more than 80 percent," Weinert noted.
Weinert's November post didn't indicate which licensees would be affected by Microsoft's plans to enforce these Conditional Access policies. However, this month's post added such clarity. Moreover, it was specifically addressed to partners overseeing small-to-medium businesses, informing them so that they'd be aware of the coming policy changes.
Even though Microsoft is rolling out these Conditional Access policies to organizations, it recognizes their need for "granular control." Microsoft is still enabling such control, even with the policy rollouts, Weinert contended:
Customers may not be in a position to disable legacy authentication for certain accounts (a requirement for security defaults), or they may need to make exceptions for certain automation cases. Conditional Access does a great job here, but often customers aren't sure where to start. They've told us they want a clear policy recommendation that’s easy to deploy but still customizable to their specific needs. And that’s exactly what we’re providing with Microsoft-managed Conditional Access policies.
Microsoft is aiming to eventually customize such policies for organizations by combining "machine learning-based policy insights and recommendations with automated policy rollout," Weinert had indicated back in his November post. The timing for such customizations, though, wasn't indicated.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.