2 weeks left until MFA enforcement for admins who is signing in to admin portals

Microsoft announced in August 2024 that they will enforce MFA on all admin accounts who is signing in to following Admin portals.

To ensure your admins can access admin portals, enable MFA on admin accounts by 15 October 2024. Microsoft is allowing customers with technical barriers or complex environments to postpone the enforcement date to 15 March 2025.

This can be done here https://aka.ms/managemfaforazure with Global administrator role.

H*LL YEAH! NOOOTT. Remember, this is just for those who actually CAN'T use MFA on some admin accounts for some reason. If your environment isn't complex or have technical barriers, then forget this postpone date and ensure that everything is ok on your tenant.

I think that many organizations out there have already done this for long time ago, but there is always someone who haven't done this or maybe missed some accounts.

So, how to ensure that all admins is using MFA on your tenant?

Download, unzip and run this powershell script here

This script is using Microsoft Graph and installs all necessary modules that you need to generate a report. Report will be generated as .csv file and saved to same folder where your script is located. Convert .csv file to .xml and you will get a report like this

Next thing you'll need to do is to map all users who will be impacted by Microsoft's MFA enforcement with an active account. For example Intune Admins, Conditional Access admins etc and create an Conditional Access Policy. It's of course recommended to enforce MFA on all admin roles. Remember that you'll need at least an Entra ID P1 license on your tenant to use Conditional Access.

Here is a 2 ready .json files

that can be imported to your tenant with Micke's Intune Tool which I wrote about in previous blog post How to bulk export and import Conditional Access policies (need4.cloud)

CA100 policy scopes 16 directory roles and is requiring that all of them need to use MFA to sign in to Admin portals.

CA101 have same requirements but for all cloud apps instead of just Admin portals.

You can tweak this policies as you want, for example enforcing phishing resistant MFA or adding / removing roles/ user accounts etc.

PS: Don't forget about your Break Glass Accounts / Emergency Accounts. This accounts will also need MFA , but they need to be excluded from your Conditional Access policies. I will write a new post about best practices for this accounts later.

If you don't have Entra ID P1 license which is included in Business Premium or E3 licenses, you can use Security defaults on your tenant or Per User MFA. But remember that you can't enforce / choose strong authentication methods, choose resources and other things with this methods. And that Per User MFA will be retired in September 2025.