Assessing the impact that the new Baseline Policy for Admins in Azure AD might have

Reading Time: 4 minutes

Azure Active Directory

Microsoft is working hard to further harden Azure Active Directory tenants, so the roughly 13 million organization depending on it, don’t get disappointed by Azure AD-based security breaches and don’t have to worry about attacks on their infrastructure.

One of the newest technologies Microsoft is developing is Baseline Policies. Using baseline policies, fields of attention will be addressed automatically and continually. The first baseline policy, which is now in public preview, is the Baseline Policy: Require MFA for admins.

Currently, this baseline policy is in public preview and non-enforced. However, Microsoft is planning to turn this baseline policy on, automatically, in the near future.

While I approve of hardening critical infrastructure components out of the box, I fear that current Azure AD Admins may be adversely impacted, because in some instances the security goes from non-secured to secured, potentially causing issues. In this blogpost, I intend to provide the means to assess the impact the new baseline policy for Azure AD Admins might have.

     

About the Baseline Policy: Require MFA for admins (Preview)

The Baseline Policy: Require MFA for admins (Preview) in Azure AD requires multi-factor authentication for the following directory roles:

  • Global administrators (also known as Company administrators)
    This role permits access to all administrative features across Azure AD and Office 365. This is the most powerful role.
  • SharePoint administrators
    This role permits access to the SharePoint online admin center. This includes the ability to create, delete, and assign permissions to site collections and manage OneDrive for Business.
  • Exchange administrators
    This role permits management of Exchange Online. This includes the ability to grant Send As and Send on Behalf permissions to users for other user’s mailboxes.
  • Conditional Access administrators
    This role grants the ability to manage Azure Active Directory conditional access settings. To deploy Exchange ActiveSync conditional access policy in Azure, the user must also be a Global Administrator.
  • Security administrators
    This role grants the ability to read security and audit information, and to manage the Privileged Identity Management service and the Identity Protection Center (requires Azure AD Premium P2).

These roles have a high potential to be misused. To verify the authentication for users with these roles within your tenant, additional authentication is required in the form of Azure Multi-Factor Authentication (Azure MFA).

   

Assessing the impact of the Baseline Policy: Require MFA for admins (Preview)

Any user object that has one or more of the above directory roles assigned, will be impacted by the Baseline Policy: Require MFA for admins (Preview).

To get an overview of these users, use the following script, leveraging version 2 of the Azure AD PowerShell Module:

Connect-AzureAD

Get-AzureADDirectoryRole | Where-Object {$_.displayName -eq 'Company Administrator' -or $_.displayName -eq 'SharePoint Administrator' -or $_.displayName -eq 'Exchange Administrator' -or $_.displayName -eq 'Conditional Access administrator' -or $_.displayName -eq 'Security Administrator'} | Get-AzureADDirectoryRoleMember | Format-Table DisplayName,UserPrincipalName

The above two lines of PowerShell code will provide a table with accounts affected. Some accounts may appear multiple times when these accounts have multiple directory roles assigned to them.

 

Modifying the Baseline Policy: Require MFA for admins (Preview)

The script above might show you user accounts that are no longer needed. Disable these objects and review your procedures.

The script above might show you service accounts that need the directory role to function properly. I urge you to contact the vendor of the solutions that require service accounts that need directory roles to function properly. Please communicate that the better way to approach service account functionality in Azure AD is through service principals. However, I realize authentication and authorization in solutions is not rewritten, tested, regression tested, piloted in representative environments, released and distributed to customers in one day.

If your organization is adversely impacted, there is a way to exclude user objects and groups in Azure Active Directory from the baseline policy. Microsoft’s recommendation is to exclude one emergency-access administrative account to ensure your organization is not locked out of the Azure AD tenant, anyway.

Follow these steps to modify the Baseline Policy: Require MFA for admins (Preview) and exclude several accounts:

  • Navigate to https://aad.portal.azure.com.
  • Sign in with an account with Global Administrator privileges.
  • In the left-most navigation pane, click on (the icon of) Azure Active Directory.
  • In the navigation blade for your Azure AD tenant, scroll down a bit and click on Conditional Access.
  • The Policies pane will be the one opened by default.

Conditional Acess  Policies in Azure AD (click for original screenshot)

  • Click on the Baseline Policy: Require MFA for admins (Preview) policy.
  • In the Baseline policy, click on Exclude users and groups.
  • On the Users and groups blade, click on Select excluded users >.
  • Select the groups and/or individual user objects you wish to exclude from the baseline policy.
  • Click the blue Select button near the bottom of the Select excluded users blade.
  • Click Done on the Users and groups blade.

Select the Use Policy Immediately option for Azure AD's Conditional Access Baseline Policy Require MFA for Admins Preview (click for original screenshot)

  • On the Baseline policy: Require MFA for admins (Preview) blade select the Use policy immediately option.
  • Click Save at the bottom of the blade.

  

Concluding

Don’t get caught off-guard on the hardening changes coming to Azure Active Directory in the near future. Prepare today.

Further reading

Baseline security policy for Azure AD admin accounts in public preview! 
What is baseline protection (preview)? 
Baseline security policy for Azure AD admin accounts in public preview! 
AzureAD Baseline Protection and Policy in Public Preview 
Baseline security policy for Azure AD admin accounts in public preview! 
Baseline Security Policy for Azure AD Admin Accounts in Public Preview! 
Multi-factor Authentication by Default for Administrators in Azure AD and Office 365 
Azure – Define a security baseline for Azure AD Administrators

3 Responses to Assessing the impact that the new Baseline Policy for Admins in Azure AD might have

  1.  

    very nice article! get an error running the script.

    Get-AzureADDirectoryRoleMember : Error occurred while executing GetAzureADDirectoryRoleMembers
    Code: Request_BadRequest
    Message: Syntax error at position 19 in 'class DirectoryRole {
    DeletionTimestamp:
    ObjectId: 5c8d9042-3c38-4d86-8d5c-d2affe281f74
    ObjectType: Role
    Description: Can manage all aspects of Azure AD and Microsoft services that use Azure AD identities.
    DisplayName: Company Administrator
    IsSystem: True
    RoleDisabled: False
    RoleTemplateId: 62e90394-69f5-4237-9190-012177145e10
    }
    '.
    HttpStatusCode: BadRequest
    HttpStatusDescription: Bad Request
    HttpResponseStatus: Completed
    At line:3 char:292
    + … eq ‘Security Administrator’} | Get-AzureADDirectoryRoleMember | Forma …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [Get-AzureADDirectoryRoleMember], ApiException
    + FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.GetAzureADDirectory
    RoleMembers

  2.  

    Sander,
    It looks like they have turned off the ability to exclude users from the baseline policies. So much for the Microsoft recommendation to exclude the emergency accounts.

    • It looks like they are ditching the Baseline Policies altogether for the new Security Defaults.

      The recommendation seems to be to use Conditional Access policies to the same effect as the baseline policies and create exceptions in the policies to accommodate any functionality you cant't properly secure. This only applies to organizations with Azure AD Premium licenses (or up).

       

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.