Conditional Access Baseline rules in the Azure AD
Conditional Access is a capability of Azure Active Directory (Azure AD) that enables you to control how authorized users access your cloud apps.
Using baseline policies, fields of attention will be addressed automatically and continually. The first baseline policy, which is now in public preview, is the “Baseline policy: Require MFA for admins (Preview)” the basics. It is a policy in preview status that is enabled by Microsoft unless you set it yourself on turn off. The Policy is not yet active. It will not be long before Microsoft enables it though.
In any case, we have already started testing and have the policy enabled at various customers.
The policy will force MFA for accounts with one of the following roles:
- Global administrators (also known as Company administrators)
This role permits access to all administrative features across Azure AD and Office 365. This is the most powerful role. - SharePoint administrators
This role permits access to the SharePoint online admin center. This includes the ability to create, delete, and assign permissions to site collections and manage OneDrive for Business. - Exchange administrators
This role permits management of Exchange Online. This includes the ability to grant Send As and Send on Behalf permissions to users for other user’s mailboxes. - Conditional Access administrators
This role grants the ability to manage Azure Active Directory conditional access settings. To deploy Exchange ActiveSync conditional access policy in Azure, the user must also be a Global Administrator. - Security administrators
This role grants the ability to read security and audit information, and to manage the Privileged Identity Management service and the Identity Protection Center (requires Azure AD Premium P2).
Currently, this baseline policy is in public preview and non-enforced. However, Microsoft is planning to turn this baseline policy on, automatically, in the near future.
Microsoft starting to rollout three new baseline policies in Conditional Access.
- Baseline policy: Require MFA for admins (Preview)
- Baseline policy: End user protection (Preview)
- Baseline policy: Block legacy authentication (Preview)
- Baseline policy: Require MFA for Service Management (Preview)
Conditional Access are normally part for a Premium SKU (P1 or P2) for Azure AD but Baseline Protection are available for all editions of Azure AD, including Free.
Baseline Policy in Conditional Access are part of Baseline Protection in Azure Active Directory (Azure AD) and the goal of these policies is to ensure that you have at least the baseline level of security enabled in Azure AD.
Here is a walk-through of all the available baseline policies that Microsoft offers and how they protect your organization.
To get an overview of these users, use the following script, the Azure AD PowerShell Module:
Connect-AzureAD
Get-AzureADDirectoryRole | Where-Object {$_.displayName -eq ‘Company Administrator’ -or $_.displayName -eq ‘SharePoint Administrator’ -or $_.displayName -eq ‘Exchange Administrator’ -or $_.displayName -eq ‘Conditional Access administrator’ -or $_.displayName -eq ‘Security Administrator’} | Get-AzureADDirectoryRoleMember | Format-Table DisplayName,UserPrincipalName
The above two lines of PowerShell code will provide a table with accounts affected. Some accounts may appear multiple times when these accounts have multiple directory roles assigned to them.
Read more about baseline protection and baseline policies on docs.microsoft.com