Conditional Access Policy

Sign-ins under Azure AD administrator roles require phishing-resistant MFA.

Suggested name:
CA1{XX}-Admin-IdentityProtection-AllApps-AnyPlatform-RequirePhishingResistantMFA

Assignments

Users

Users and groups  
Include roles
  • Global administrator
  • Security administrator
  • SharePoint administrator
  • Exchange administrator
  • Conditional Access administrator
  • Helpdesk administrator
  • Billing administrator
  • User administrator
  • Authentication administrator
  • Application administrator
  • Cloud application administrator
  • Password administrator
  • Privileged authentication administrator
  • Privileged role administrator
Exclude users
  • Break-glass (emergency access) accounts
  • Service accounts

Cloud apps or actions

Cloud apps  
Include All cloud apps

Access controls

Grant access  
Require Phishing-resistant multifactor authentication

References

https://learn.microsoft.com/en-us/azure/architecture/guide/security/conditional-access-framework https://learn.microsoft.com/en-us/azure/architecture/guide/security/conditional-access-architecture https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-policy-common