Late in may the “Baseline Policy: Require MFA for admins” got company of three other baseline policies in preview.

Baseline policies are a set of predefined policies that help protect organizations against many common attacks.

Baseline policies are available in all editions of Azure AD. The goal of these four policies is to ensure that all organizations have a baseline level of security enabled at no extra cost.

Require MFA for admins

“Require MFA for admins” is a baseline policy that requires multi-factor authentication (MFA) for the following directory roles, considered to be the most privileged Azure AD roles:

  • Global administrator
  • SharePoint administrator
  • Exchange administrator
  • Conditional Access administrator
  • Security administrator
  • Helpdesk administrator / Password administrator
  • Billing administrator
  • User administrator

This also demand that those roles only use modern authentication, that supports MFA. You should also add the “Baseline policy: Block legacy authentication (preview) to make sure MFA are triggered.

You could make exeptions from the polcy if needed, such as “break the glass” administrator accounts. Such accounts should be closesly monitored.

End user protection (preview)

This is a baseline policy that protects all users in your Azure AD directory. Enabling this policy requires all users to register for Azure Multi-Factor Authentication within 14 days. Once registered, users will be prompted for MFA during risky sign-in attempts. Compromised user accounts are blocked until password reset and risk dismissal.

Block legacy authentication (preview)

Legacy authentication protocols (ex: IMAP, SMTP, POP3) are protocols normally used by older mail clients to authenticate. Legacy protocols do not support multi-factor authentication. Even if you have a policy requiring MFA, a bad actor can authenticate using one of these legacy protocols and bypass multi-factor authentication.

The best way to protect your account from malicious authentication requests made by legacy protocols is to block them.

Require MFA for service management (preview)

This policy will require MFA when logging on to typical priviledged tools and locations.

  • Azure portal
  • Azure PowerShell
  • Azure CLI