{"id":1399,"date":"2018-06-26T10:01:38","date_gmt":"2018-06-26T09:01:38","guid":{"rendered":"http:\/\/www.myfatblog.co.uk\/?p=1399"},"modified":"2018-06-26T10:01:38","modified_gmt":"2018-06-26T09:01:38","slug":"enforced-mfa-for-office-365-admins-dont-get-caught-out","status":"publish","type":"post","link":"http:\/\/www.myfatblog.co.uk\/index.php\/2018\/06\/enforced-mfa-for-office-365-admins-dont-get-caught-out\/","title":{"rendered":"Enforced MFA for Office 365 Admins &#8211; Don&#8217;t get caught out!"},"content":{"rendered":"<p>I\u2019ve been working on conditional access for a while now with a client, trying to find the right balance of command and control versus usability for the organisation. Just as I thought we were there, I noticed a new policy called \u201c<strong><em>Baseline policy: Require MFA for admins (Preview)\u201d<\/em><\/strong> had appeared. Given that this is buried in the Azure Portal, I don&#8217;t think a lot of Office 365 admins will be aware of this just yet!<\/p>\n<p>I hadn\u2019t added this, neither had my client, so I clicked into the policy for more information and took a look at the configuration pane for this policy.<\/p>\n<div style=\"width: 263px\" class=\"wp-caption alignnone\"><a href=\"http:\/\/www.myfatblog.co.uk\/wp-content\/uploads\/2018\/06\/image.png\"><img loading=\"lazy\" decoding=\"async\" style=\"background-image: none; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border: 0px;\" title=\"image\" src=\"http:\/\/www.myfatblog.co.uk\/wp-content\/uploads\/2018\/06\/image_thumb.png\" alt=\"image\" width=\"263\" height=\"435\" border=\"0\" \/><\/a><p class=\"wp-caption-text\">Baseline Policy &#8211; Require MFA for admins.<\/p><\/div>\n<p>The link at the top takes you to a <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/active-directory-conditional-access-baseline-protection\" target=\"_blank\" rel=\"noopener noreferrer\">link explaining what Baseline Protection<\/a> is. Basically it\u2019s a set of predefined conditional access policies. Given that there is currently only one policy, I think we\u2019ll see Microsoft creating a few more of these over the coming months. (I\u2019d actually like to see them bring a lot more control over things like Risky sign-ins into the cheaper license skus, but this is a good start!)<\/p>\n<p>In this case, when the policy is enabled, it will automatically enforce MFA on anyone who is in the directory roles listed in the policy window. This is great, unless your users have their day to day accounts configured for MFA, in which case they\u2019ll need to sign-on using MFA, even when logged into a trusted device on the company LAN. That\u2019s not actually as bad as it sounds as by default you can select a \u201c<em>don\u2019t ask me for MFA on this device for X number of days<\/em>\u201d, where X is configurable between 0 and 60 in the MFA settings.<\/p>\n<p>Personally, I think this is a great move and most companies should consider enabling this policy immediately, but make sure you warn your admins first and I would advise that you get them to visit <a href=\"https:\/\/aka.ms\/MFASetup\">https:\/\/aka.ms\/MFASetup<\/a> in advance of this to get their authenticator app configures as soon as possible as this makes signing on a breeze, just requiring you to click \u201cApprove\u201d on the authenticator pop-up (Even easier if you\u2019re wearing a smart watch too!)<\/p>\n<p>One thing that the link does call out, is if you\u2019re using privileged accounts in your scripts these will be affected by the policy. You can exclude those accounts from the process but the link suggests using App Service Principals instead. I must admit I haven\u2019t tried these yet when accessing Office 365 resources, but I aim to do that very soon and will post here a guide on how to use them.<\/p>\n<p>Paul.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I\u2019ve been working on conditional access for a while now with a client, trying to find the right balance of command and control versus usability for the organisation. Just as I thought we were there, I noticed a new policy called \u201cBaseline policy: Require MFA for admins (Preview)\u201d had appeared. Given that this is buried &hellip; <\/p>\n<p><a class=\"more-link btn\" href=\"http:\/\/www.myfatblog.co.uk\/index.php\/2018\/06\/enforced-mfa-for-office-365-admins-dont-get-caught-out\/\">Continue reading<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"footnotes":""},"categories":[247],"tags":[248,249,173,250],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.3 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Enforced MFA for Office 365 Admins - Don&#039;t get caught out! - Blog of an overweight SharePoint addict<\/title>\n<meta name=\"description\" content=\"Microsoft are enforcing an MFA policy on Office 365 admins in their Azure Portals. Don&#039;t get caught out by this change and get prepared now.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"http:\/\/www.myfatblog.co.uk\/index.php\/2018\/06\/enforced-mfa-for-office-365-admins-dont-get-caught-out\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Enforced MFA for Office 365 Admins - Don&#039;t get caught out! - Blog of an overweight SharePoint addict\" \/>\n<meta property=\"og:description\" content=\"Microsoft are enforcing an MFA policy on Office 365 admins in their Azure Portals. Don&#039;t get caught out by this change and get prepared now.\" \/>\n<meta property=\"og:url\" content=\"http:\/\/www.myfatblog.co.uk\/index.php\/2018\/06\/enforced-mfa-for-office-365-admins-dont-get-caught-out\/\" \/>\n<meta property=\"og:site_name\" content=\"Blog of an overweight SharePoint addict\" \/>\n<meta property=\"article:published_time\" content=\"2018-06-26T09:01:38+00:00\" \/>\n<meta property=\"og:image\" content=\"http:\/\/www.myfatblog.co.uk\/wp-content\/uploads\/2018\/06\/image_thumb.png\" \/>\n<meta name=\"author\" content=\"Cimares\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@cimares\" \/>\n<meta name=\"twitter:site\" content=\"@cimares\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Cimares\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"http:\/\/www.myfatblog.co.uk\/index.php\/2018\/06\/enforced-mfa-for-office-365-admins-dont-get-caught-out\/\",\"url\":\"http:\/\/www.myfatblog.co.uk\/index.php\/2018\/06\/enforced-mfa-for-office-365-admins-dont-get-caught-out\/\",\"name\":\"Enforced MFA for Office 365 Admins - Don't get caught out! - Blog of an overweight SharePoint addict\",\"isPartOf\":{\"@id\":\"http:\/\/www.myfatblog.co.uk\/#website\"},\"primaryImageOfPage\":{\"@id\":\"http:\/\/www.myfatblog.co.uk\/index.php\/2018\/06\/enforced-mfa-for-office-365-admins-dont-get-caught-out\/#primaryimage\"},\"image\":{\"@id\":\"http:\/\/www.myfatblog.co.uk\/index.php\/2018\/06\/enforced-mfa-for-office-365-admins-dont-get-caught-out\/#primaryimage\"},\"thumbnailUrl\":\"http:\/\/www.myfatblog.co.uk\/wp-content\/uploads\/2018\/06\/image_thumb.png\",\"datePublished\":\"2018-06-26T09:01:38+00:00\",\"dateModified\":\"2018-06-26T09:01:38+00:00\",\"author\":{\"@id\":\"http:\/\/www.myfatblog.co.uk\/#\/schema\/person\/55ae8f6885bb5b8390dad001f3da83c6\"},\"description\":\"Microsoft are enforcing an MFA policy on Office 365 admins in their Azure Portals. Don't get caught out by this change and get prepared now.\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"http:\/\/www.myfatblog.co.uk\/index.php\/2018\/06\/enforced-mfa-for-office-365-admins-dont-get-caught-out\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"http:\/\/www.myfatblog.co.uk\/index.php\/2018\/06\/enforced-mfa-for-office-365-admins-dont-get-caught-out\/#primaryimage\",\"url\":\"http:\/\/www.myfatblog.co.uk\/wp-content\/uploads\/2018\/06\/image_thumb.png\",\"contentUrl\":\"http:\/\/www.myfatblog.co.uk\/wp-content\/uploads\/2018\/06\/image_thumb.png\",\"width\":263,\"height\":435},{\"@type\":\"WebSite\",\"@id\":\"http:\/\/www.myfatblog.co.uk\/#website\",\"url\":\"http:\/\/www.myfatblog.co.uk\/\",\"name\":\"Blog of an overweight SharePoint addict\",\"description\":\"The rantings of a (not so) food obsessed IT consultant!\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"http:\/\/www.myfatblog.co.uk\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"http:\/\/www.myfatblog.co.uk\/#\/schema\/person\/55ae8f6885bb5b8390dad001f3da83c6\",\"name\":\"Cimares\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"http:\/\/www.myfatblog.co.uk\/#\/schema\/person\/image\/\",\"url\":\"http:\/\/www.myfatblog.co.uk\/images\/BlogImages\/About_D057\/TopOfTheWorld.jpg\",\"contentUrl\":\"http:\/\/www.myfatblog.co.uk\/images\/BlogImages\/About_D057\/TopOfTheWorld.jpg\",\"caption\":\"Cimares\"},\"sameAs\":[\"http:\/\/www.myfatblog.co.uk\"],\"url\":\"http:\/\/www.myfatblog.co.uk\/index.php\/author\/reginald\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Enforced MFA for Office 365 Admins - Don't get caught out! - Blog of an overweight SharePoint addict","description":"Microsoft are enforcing an MFA policy on Office 365 admins in their Azure Portals. Don't get caught out by this change and get prepared now.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"http:\/\/www.myfatblog.co.uk\/index.php\/2018\/06\/enforced-mfa-for-office-365-admins-dont-get-caught-out\/","og_locale":"en_US","og_type":"article","og_title":"Enforced MFA for Office 365 Admins - Don't get caught out! - Blog of an overweight SharePoint addict","og_description":"Microsoft are enforcing an MFA policy on Office 365 admins in their Azure Portals. Don't get caught out by this change and get prepared now.","og_url":"http:\/\/www.myfatblog.co.uk\/index.php\/2018\/06\/enforced-mfa-for-office-365-admins-dont-get-caught-out\/","og_site_name":"Blog of an overweight SharePoint addict","article_published_time":"2018-06-26T09:01:38+00:00","og_image":[{"url":"http:\/\/www.myfatblog.co.uk\/wp-content\/uploads\/2018\/06\/image_thumb.png"}],"author":"Cimares","twitter_card":"summary_large_image","twitter_creator":"@cimares","twitter_site":"@cimares","twitter_misc":{"Written by":"Cimares","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"http:\/\/www.myfatblog.co.uk\/index.php\/2018\/06\/enforced-mfa-for-office-365-admins-dont-get-caught-out\/","url":"http:\/\/www.myfatblog.co.uk\/index.php\/2018\/06\/enforced-mfa-for-office-365-admins-dont-get-caught-out\/","name":"Enforced MFA for Office 365 Admins - Don't get caught out! - Blog of an overweight SharePoint addict","isPartOf":{"@id":"http:\/\/www.myfatblog.co.uk\/#website"},"primaryImageOfPage":{"@id":"http:\/\/www.myfatblog.co.uk\/index.php\/2018\/06\/enforced-mfa-for-office-365-admins-dont-get-caught-out\/#primaryimage"},"image":{"@id":"http:\/\/www.myfatblog.co.uk\/index.php\/2018\/06\/enforced-mfa-for-office-365-admins-dont-get-caught-out\/#primaryimage"},"thumbnailUrl":"http:\/\/www.myfatblog.co.uk\/wp-content\/uploads\/2018\/06\/image_thumb.png","datePublished":"2018-06-26T09:01:38+00:00","dateModified":"2018-06-26T09:01:38+00:00","author":{"@id":"http:\/\/www.myfatblog.co.uk\/#\/schema\/person\/55ae8f6885bb5b8390dad001f3da83c6"},"description":"Microsoft are enforcing an MFA policy on Office 365 admins in their Azure Portals. Don't get caught out by this change and get prepared now.","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["http:\/\/www.myfatblog.co.uk\/index.php\/2018\/06\/enforced-mfa-for-office-365-admins-dont-get-caught-out\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"http:\/\/www.myfatblog.co.uk\/index.php\/2018\/06\/enforced-mfa-for-office-365-admins-dont-get-caught-out\/#primaryimage","url":"http:\/\/www.myfatblog.co.uk\/wp-content\/uploads\/2018\/06\/image_thumb.png","contentUrl":"http:\/\/www.myfatblog.co.uk\/wp-content\/uploads\/2018\/06\/image_thumb.png","width":263,"height":435},{"@type":"WebSite","@id":"http:\/\/www.myfatblog.co.uk\/#website","url":"http:\/\/www.myfatblog.co.uk\/","name":"Blog of an overweight SharePoint addict","description":"The rantings of a (not so) food obsessed IT consultant!","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"http:\/\/www.myfatblog.co.uk\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"http:\/\/www.myfatblog.co.uk\/#\/schema\/person\/55ae8f6885bb5b8390dad001f3da83c6","name":"Cimares","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"http:\/\/www.myfatblog.co.uk\/#\/schema\/person\/image\/","url":"http:\/\/www.myfatblog.co.uk\/images\/BlogImages\/About_D057\/TopOfTheWorld.jpg","contentUrl":"http:\/\/www.myfatblog.co.uk\/images\/BlogImages\/About_D057\/TopOfTheWorld.jpg","caption":"Cimares"},"sameAs":["http:\/\/www.myfatblog.co.uk"],"url":"http:\/\/www.myfatblog.co.uk\/index.php\/author\/reginald\/"}]}},"_links":{"self":[{"href":"http:\/\/www.myfatblog.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/1399"}],"collection":[{"href":"http:\/\/www.myfatblog.co.uk\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.myfatblog.co.uk\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.myfatblog.co.uk\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/www.myfatblog.co.uk\/index.php\/wp-json\/wp\/v2\/comments?post=1399"}],"version-history":[{"count":2,"href":"http:\/\/www.myfatblog.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/1399\/revisions"}],"predecessor-version":[{"id":1403,"href":"http:\/\/www.myfatblog.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/1399\/revisions\/1403"}],"wp:attachment":[{"href":"http:\/\/www.myfatblog.co.uk\/index.php\/wp-json\/wp\/v2\/media?parent=1399"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.myfatblog.co.uk\/index.php\/wp-json\/wp\/v2\/categories?post=1399"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.myfatblog.co.uk\/index.php\/wp-json\/wp\/v2\/tags?post=1399"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}