An Azure AD Conditional Access Policy for Internals with High Sign-in Risk to perform MFA.

Suggested name:
CA2{XX}-Internals-IdentityProtection-AllApps-HighSigninRisk-MFA

Assignments

Users

Users and groups  
Include users CA-Persona-Internals
Exclude users Break-glass (emergency access) accounts

Cloud apps or actions

Cloud apps  
Include All cloud apps

Conditions

Sign-in risk
High

Access controls

Grant access  
Require Multifactor authentication
Session  
Sign-in frequency Every time

References

https://learn.microsoft.com/en-us/azure/architecture/guide/security/conditional-access-architecture https://learn.microsoft.com/en-us/azure/architecture/guide/security/conditional-access-framework https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-policy-common