Enhancing Your Security with Microsoft’s New Managed Conditional Access Policies


Turag photography

In a world where cyberthreats are ever-evolving, security is paramount. And Microsoft is stepping up to the plate by introducing a set of new Microsoft-managed Conditional Access policies designed to bolster your defense against potential cyberattacks. These policies are part of a broader initiative aimed at fortifying security and ensuring the protection of your user accounts.

Microsoft’s deep understanding of the current threat landscape has guided the creation of these policies, which are set to be rolled out to eligible customers in the coming weeks. The man behind this initiative, Alex Weinert, Vice President for Identity Security at Microsoft, expresses the company’s commitment to continuously adapt these policies to maintain a high-security bar.

So, what exactly are these set of Conditional access policies, and how will they benefit your organization?

Require Multifactor Authentication for Admin Portals

The first policy mandates multi-factor authentication (MFA) for administrators when signing into Microsoft admin portals, including Azure, Microsoft 365, and Exchange. This policy will be enabled for all eligible Entra ID customers. By enforcing MFA for these critical access points, Microsoft aims to significantly enhance security for your admin accounts.

MFA for Per-User MFA Users

The second policy is tailored for existing per-user multi-factor authentication customers. It makes MFA mandatory for all cloud applications, simplifying the transition to Conditional Access. This step ensures that all user interactions with cloud apps are protected by MFA, reducing the risk of unauthorized access.

 MFA for High-Risk Sign-Ins

For customers with a Microsoft Entra ID Premium Plan 2 subscription, the third policy comes into play. It requires MFA and re-authentication during sign-ins associated with a high level of risk. This additional layer of security provides peace of mind when dealing with sensitive or high-risk scenarios.

Once these policies are introduced, administrators will have a 90-day window to review, customize, or disable them. During this period, the policies will be in report-only mode, which allows Conditional Access to log policy results without enforcing them. This approach gives users the flexibility to adapt the policies to their unique needs.

Customize these Policies

You may wonder where to access and modify these policies. Adminstrators with at least the Conditional Access Administrator role can find them in the Microsoft Entra admin center, under Protection –> Conditional Access –> Policies. This new policy view user experience offers comprehensive information, including a policy summary, recommended actions, alerts, and policy impact. Furthermore, sign-in and audit logs can be leveraged to track policy enforcement and monitor their impact.

To accommodate exceptions such as emergency access or break-glass accounts, Microsoft provides the option to exclude specific users, roles, and groups from these policies. Additionally, admins can duplicate a policy and tailor it to meet their company’s specific requirements, just as they would with any other Conditional Access policy.

Enhancing Security by Default

Microsoft’s journey toward making MFA a standard practice among users began a decade ago and resulted in significant success in enhancing the security of consumer accounts. Encouraged by this progress, Microsoft extended its focus to enterprise users. However, they encountered unique challenges, such as customers having control over account policies and concerns about user friction, budget constraints, talent shortages, and security backlogs.

In response to these challenges, Microsoft introduced security defaults, but some customers needed more granular control. Entra Conditional Access, which offers the customization and flexibility that customers desired. Microsoft-managed Conditional Access policies aim to strike the perfect balance, providing a clear policy recommendation that is easy to deploy and customizable to meet specific needs.

In the fast-paced world of cybersecurity, these policies represent a significant step toward achieving a 100% multi-factor authentication goal. By reducing the risk of account takeover by over 99%, Microsoft is dedicated to ensuring that every user authenticates with modern strong authentication. For more information, please read Microsoft’s official announcement.

1 thought on “Enhancing Your Security with Microsoft’s New Managed Conditional Access Policies”

Leave a Comment