Azure Conditional Access Policies - Force MFA for Admin Roles
If you don't have multi-factor authentication configured for your Administrator accounts, then you're leaving your Azure environment more vulnerable to exploitation from malicious actors.
Conditional Access Policies provide a great way to implement a blanket rule for any person with privileged roles to have MFA enforced.
Note: You'll need Azure Premium 2 licences assigned per user to use this feature.
Log in to your Azure portal. You'll need either Global Administrator or Conditional Access Policy Administrator. Click on Services and Search for Azure AD Conditional Access, then select it.
Under Policies, click + New Policy from template (Preview). Whilst you can create the policy from scratch, this is another route where Microsoft provide a handful of pre-configured policies for faster deployment.
The policy we're going to use is already selected (Require multifactor authentication for admins).
The newly created policy now shows in the main screen. However there's a couple of tweaks we need to make. So click on the policy to edit it.
Under Users, we're going to add additional Administrator roles. For whatever reason, Microsoft only add key roles by default, but I'd recommend you review the list and add more.
Next, click on Exclude and add a Global Administrator role (ideally a break glass account). The reason for this is to ensure you never get locked out by a misconfiguration or a security event that impacts MFA. You could look at alternative MFA solutions such as FIDO2 keys like Yubikeys, but I'll leave that decision with you!
Lastly, change the policy status from Report-only to On, then click Save.
Congratulations, you have now enabled an active CA Policy:)