New baseline policies available in Conditional Access
Last week Microsoft starting to rollout three new baseline policies in Conditional Access.
- Baseline policy: Block legacy authentication (Preview)
- Baseline policy: Require MFA for Service Management (Preview)
- Baseline policy: End user protection (Preview)
Baseline Policy in Conditional Access are part of Baseline Protection in Azure Active Directory (Azure AD) and the goal of these policies is to ensure that you have at least the baseline level of security enabled in Azure AD.
Conditional Access are normally part for a Premium SKU (P1 or P2) for Azure AD but Baseline Protection are available for all editions of Azure AD, including Free.
Here is a walk-through of all the available baseline policies that Microsoft offers and how they protect your organization.
Require MFA for admins
This policy requires Multi-Factor Authentication (MFA) for accounts that are part for directory roles that elevate an account with more privileged than a normal account. This policy also blocks legacy authentication, like POP, IMAP and older Office desktop client.
The directory roles that are covered by this policy are:
- Global administrator
- SharePoint administrator
- Exchange administrator
- Conditional access administrator
- Security administrator
- Helpdesk administrator / Password administrator
- Billing administrator
- User administrator
Block legacy authentication
This policy blocks all sign-ins using legacy authentication protocols that doesn’t support Multi-Factor Authentication, such as
- IMAP, POP, SMTP
- Office 2013 (without registry keys for Modern Authentication)
- Office 2010
- Thunderbird client
- Legacy Skype for Business
- Native Android mail client
However, this policy does not block Exchange ActiveSync.
Require MFA for Service Management
This policy requires users logging into services that rely on the Azure Resource Manager API to perform multi-factor authentication (MFA). Services requiring MFA include:
- Azure Portal
- Azure Command Line Interface (CLI)
- Azure PowerShell Module
End user protection
This policy protects users by requiring multi-factor authentication (MFA) during risky sign-in attempts to all applications. Users with leaked credentials are blocked from signing in until a password reset.
Once the policy is enabled, users are required to register for MFA within 14 days of their first login attempt. The default method of MFA registration is the Microsoft Authenticator App.
Here are a few recommendations before you enable these polices:
- If you have privileged accounts that are used in scripts or Azure Automations, you should replace them with Managed Identities for Azure resources or service principals with certificates. You could also exclude specific user accounts from the baseline policy but should be a temporary workaround.
- Make sure you exclude the emergency-access / break glass account(s) from these polices
Read more about baseline protection and baseline policies on docs.microsoft.com