A new security feature has been delivered in preview for Azure AD; a security baseline for any Azure AD Administrator.

This baseline will be enabled by default (during the preview you HAVE to enable it) and is going to request multi-factor authentication (MFA) for any privileged account like:

  • Global Administrator
  • Service Administrator
    • SharePoint Administrator
    • Exchange Administrator
  • Conditional Access Administrator
  • Security Administrator

To enable/disable (while not recommended) the security baseline go to your Azure or Azure AD portal with a global administrator account and reach the Conditional Access configuration blade

image

Then you should have the Basline policy: Require MFA for admins policy

image

If you edit the policy you will be able to enable/disable it as well as define excluded users/groups (don’t forget to exclude the account you may use for Exchange Hybrid endpoint Smile); this is recommended to have a least one GA account not impacted by the baseline policy (off course you will need to have a very strong and secure password and keep it in a safe place).

image