As part of MC224734, Microsoft has communicated publicly that they are requiring multi-factor authentication (MFA) from four more Azure AD privileged roles through the Security Defaults functionality. Organizations leveraging Conditional Access to require MFA from privileged accounts should take note.
About Security Defaults
Security Defaults is an Identity security feature. When enabled, it requires all users in a tenant to register for MFA using the Microsoft Authenticator App and perform MFA whenever Azure AD Identity Protection flags a sign-in or user with its built-in rules. The feature also blocks all authentication requests coming from legacy authentication protocols.
When Security Defaults is enabled, a set of nine highly privileged Azure AD admin roles are required to perform MFA more frequently than other roles due to their privileged nature:
- Global administrator
- SharePoint administrator
- Exchange administrator
- Conditional Access administrator
- Security administrator
- Helpdesk administrator
- Billing administrator
- User administrator
- Authentication administrator
What’s New for Organizations with Security Defaults
Now, Microsoft is changing the context of the Security Defaults feature.
What’s changing?
This list of roles is expanding to include:
- Application Administrator
- Cloud Application Administrator
- Password Administrator
- Privileged Authentication Administrator
Who’s impacted?
In organizations who have Security Defaults enabled in your tenant, all Application Administrators, Cloud Application Administrators, Password Administrators, and Privileged Authentication Administrators will soon be required to perform multi-factor authentication (MFA) each time they sign-in.
To get an overview of the people impacted, use the following script, leveraging version 2 of the Azure AD PowerShell Module:
Connect-AzureAD
Get-AzureADDirectoryRole | Where-Object {$_.displayName -eq 'Password
Administrator' -or $_.displayName -eq 'Cloud Application Administrator' -or $_.displayName -eq 'Application Administrator' -or $_.displayName -eq 'Privileged Authentication Administrator'} | Get-AzureADDirectoryRoleMember | Format-Table DisplayName,UserPrincipalName
The above two lines of Windows PowerShell code will provide a table with accounts affected. Some accounts may appear multiple times when these accounts have multiple directory roles assigned to them.
When is the change due?
Microsoft is making these changed per tenant, starting in late November 2020 through early December 2020.
What’s New for Organizations with Conditional Access
For organizations leveraging Conditional Access to require MFA from privileged accounts, nothing changes at this moment. However, Microsoft now implicitly recommends organizations who don’t use the Security Defaults feature to require multi-factor authentication from people in these four additional Azure AD roles.
My recommendationS
I have two recommendations. When your organization has Azure AD Premium licenses, then stop configuring Azure multi-factor authentication through the legacy PhoneFactor portal.
My other recommendation is to either:
- Require multi-factor authentication from people with any Azure AD role that end in Administrator, with an exception for the emergency access account(s), or;
- Require multi-factor authentication from the thirteen Azure AD roles, as summed up above, with an exception for the emergency access account(s).
Who’s impacted?
If you want to go the first route, the following two lines of Windows PowerShell provide the impacted user accounts:
Connect-AzureAD
Get-AzureADDirectoryRole | Where-Object {$_.displayName –contains 'Administrator' | Get-AzureADDirectoryRoleMember | Format-Table DisplayName,UserPrincipalName
The same two lines of Windows PowerShell code above will provide the impact on people when only the four roles are added to the Conditional Access policy that requires multi-factor authentication.
Concluding
Microsoft is moving fast in tightening the information security measures in the Security Defaults feature. Don’t fall behind if your organization uses Conditional Access policies instead.
Login