Azure AD Admins To Get Multifactor Authentication by Default

Microsoft is bringing multifactor authentication (MFA) to organizations that manage Azure Active Directory tenancies.

The idea is to make MFA a "baseline policy" for all organizations with Azure AD account administrators. MFA is a secondary identity verification scheme beyond using a password. It typically might entail answering an automated cell phone call or responding to a text message before granting access.

On Friday, Microsoft announced that it is previewing MFA for protecting "privileged Azure AD accounts." By privileged accounts, Microsoft is referring to the IT pro administrator user accounts that an organization uses to manage Microsoft's identity and access management service.

The preview currently can be accessed within the Azure Portal by going to the Conditional Access blade. There's an option in there to turn on the baseline policy and "Require MFA for administrators." The interface lets organizations specify which Azure AD administrators will be subject to using MFA. The options include:

  • Global administrator
  • SharePoint administrator
  • Exchange administrator
  • Conditional access administrator
  • Security administrator

While this feature is currently at the preview stage and it's optional to try it, Microsoft is planning to make it a default setting for organizations when it's deemed to be at the "general availability" (or production-ready) stage. Here's how Microsoft described that coming change for Azure AD tenancies:

After general availability, we're going to opt you into the policy by default but provide you [with] the configuration to opt out at any time. We highly recommend you opt into the policy immediately.

Presumably, MFA will be a default feature only for organizations that have the proper use rights. According to Microsoft's Azure AD pricing page, MFA is only offered with Premium P1 and P2 Azure AD plans. Update 6/26: However, a reader pointed out that Microsoft doesn't charge for global administrators to use MFA.

"Users assigned the Global Administrator role in Azure AD tenants can enable two-step verification for their Azure AD Global Admin accounts at no additional cost," Microsoft explained in this Azure document.

Microsoft isn't just an advocate for using MFA with the Azure AD service. It's also recommending its use when administering other services, such as Exchange Online. In a Friday Microsoft Tech Community post, Jeff Sun of Microsoft argued that MFA and encryption were seen as the two biggest obstacles for attackers, and he urged Office 365 tenancies to activate MFA when administering Exchange Online.

Organizations can enable MFA for Exchange Online through the Office 365 Admin Center, Security and Compliance Center and Exchange Admin Center. It's more complicated to enable MFA when organizations have automated their Exchange Online administration using PowerShell, he noted.

Sun advocated using additional Microsoft security solutions to administer Exchange Online beyond MFA, namely:

The use of those features, of course, requires having the licensing in place beyond an Office 365 subscription.

About the Author

Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.


  • What Does Office 365 Support for New Surface Hardware Actually Mean?

    Microsoft has spilled a lot of ink touting the ways that its new Surface-branded peripherals will be bring Office 365 features to life.

  • Azure Active Directory ID Protection 'Refresh' Now Available

    Microsoft's enhancements to the Azure Active Directory Identity Protection service are now said to be "generally available" (GA), or ready for commercial use, per a Wednesday announcement.

  • Microsoft Releases Windows 10 Version 1909

    Microsoft on Tuesday announced the release of Windows 10 version 1909, a new operating system product that's also known as the "Windows 10 November 2019 Update."

  • November Microsoft Security Bundle Addresses 75 Vulnerabilities

    Of that number, 13 vulnerabilities are rated "Critical" to patch, while 62 vulnerabilities are deemed "Important."

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.