Be prepared for upcoming enforcement of MFA protection for Office 365 Admins



*** Summary ***
Microsoft has recently added a new policy in Azure AD.
This policy will enforce MFA protection for Office 365 Admins by default.
Microsoft will enforce this policy 'in the future' if you do not intervene.
If you do not plan for the change, scheduled scripts may fail if running under Admin credentials.
If you do not plan for the change, you may need to adjust how you connect to Office 365 via PowerShell.
More info from Microsoft can be found here - Link

==============================================================

*** My MFA tutorials and scripts ***

PowerShell Connection Script for MFA
Office 365 Connection Script with Modern Auth - Supports MFA (Multi-Factor Auth) - Link

MFA (Multi-Factor Authentication) Pre-requisites
- How to enable MFA (Multi-Factor Authentication) for Office 365 administrators - Link

Modern Authentication and Multi-Factor Authentication -
- How to configure your desktop PC for Office 365 Administration - including MFA - Link
- How to configure Server 2012 R2 for Office 365 Administration - including MFA - Link
- How to connect to Office 365 via PowerShell with MFA - Multi-Factor Authentication - Link

All MFA Tutorials
All My Modern Auth and Multi-Factor Authentication Tutorials  - Link

==============================================================

Great Initiative
This is a great initiative from Microsoft, applying an extra level of security to Office 365 Admins by default is a positive step forward in the constant battle for cloud security. But you will need to ensure you are prepared for when this will be implemented in the future.

Current settings -
Currently, this new 'baseline policy' is set to - 'Automatically enable policy in the future'.
This means that unless you manually override this policy, Microsoft will control when this policy is enabled and enforced.

This will impact any users with the following admin rights -
- Global administrator 
- SharePoint administrator 
- Exchange administrator 
- Conditional access administrator 
- Security administrator 

Most importantly, any of your scheduled scripts that run with the credentials of an account with those admin rights may fail due to the change in the authentication process.


To prepare for this change
- Decide firstly if you want this new policy enforced or not
- Edit the new baseline policy to meet the business requirements

Accessing the new policy
To access this policy, first login to the Azure AD Portal -
Select - Azure Active Directory




















Next, scroll down through the options until you see the 'Security' section
- Select - Conditional Access
























Here you will see any Conditional Access Policies that have been created.
You will also see the new policy - 'Baseline policy: Require MFA for admins (Preview)'.
Click to select this policy
















You will now be able to view the properties of the policy.

As you can see in the image below, it clearly states that 'This policy will automatically be enabled in the future'. This may be tomorrow, or it may be in six months time, so it is best to prepare now.

It is highly recommended to think about the implications of each option and choose carefully.
It is best practice to protect your admin accounts with MFA and this is a free service. However, if you choose to protect your admin accounts with MFA, you need to realise that this will impact on how you perform your daily administration, especially via PowerShell.

If you connect to Office 365 with your admin accounts via PowerShell, you will need to ensure your connection script supports MFA. If you don't already use my PowerShell connection script that supports MFA, you can download it here - Link

MFA Connection Script
*** Office 365 Connection Script with Modern Auth - Supports MFA (Multi-Factor Auth) - Link ***

MFA Configuration
- How to configure your desktop PC for Office 365 Administration - including MFA - Link
- How to configure Server 2012 R2 for Office 365 Administration - including MFA - Link
- How to connect to Office 365 via PowerShell with MFA - Multi-Factor Authentication - Link


==============================================================

Policy Options Available -

There are three main options available -
- Automatically enable policy in the future - (Default and current setting)
- Use policy immediately (All admin accounts will be automatically protected by MFA)
- Do not use policy (You will have to enforce MFA on admin accounts manually)






























These settings are pretty much self explanatory, so I won't go into more detail.
For this article, I am keeping the default configuration to 'Automatically enable policy in the future'.


Excluding users from the policy configuration you select -
Once you choose your policy setting, it is important to decide whether you want to exclude any users from the policy.

To select users to be excluded - click the section - 'Exclude users and groups' - to expand the blade.
Then click - Select excluded users -
Then select the user, or search for the users you would like to exclude.
Highlight and add users by searching or selecting and then clicking - Select





















Once you have chosen the users to be excluded, they will appear in the Exclude blade.
Click - Done - at the bottom of the blade to save the excluded users.
























Once updated, the policy will show that users are excluded.





























Make sure you click - Save - to save and update any changes you have made.



































Please think about the business needs and choose wisely in regards to this upcoming policy implementation. It is important to plan and choose carefully to ensure you protect your accounts while still ensuring business continuity.

-------------------------------------------------------------------------------------------

Don't forget to check out all my MFA tutorials and my MFA PowerShell Connection Script.


PowerShell Connection Script for MFA
Office 365 Connection Script with Modern Auth - Supports MFA (Multi-Factor Auth) - Link

MFA (Multi-Factor Authentication) Pre-requisites
- How to enable MFA (Multi-Factor Authentication) for Office 365 administrators - Link

Modern Authentication and Multi-Factor Authentication -
- How to configure your desktop PC for Office 365 Administration - including MFA - Link
- How to configure Server 2012 R2 for Office 365 Administration - including MFA - Link
- How to connect to Office 365 via PowerShell with MFA - Multi-Factor Authentication - Link

All MFA Tutorials
All My Modern Auth and Multi-Factor Authentication Tutorials  - Link

-------------------------------------------------------------------------------------------

Check out a list of ALL of my tutorials here - Link



No comments:

Post a Comment