A new security feature has been delivered in preview for Azure AD; a security baseline for any Azure AD Administrator.
This baseline will be enabled by default (during the preview you HAVE to enable it) and is going to request multi-factor authentication (MFA) for any privileged account like:
- Global Administrator
- Service Administrator
- SharePoint Administrator
- Exchange Administrator
- Conditional Access Administrator
- Security Administrator
To enable/disable (while not recommended) the security baseline go to your Azure or Azure AD portal with a global administrator account and reach the Conditional Access configuration blade
Then you should have the Basline policy: Require MFA for admins policy
If you edit the policy you will be able to enable/disable it as well as define excluded users/groups (don’t forget to exclude the account you may use for Exchange Hybrid endpoint ); this is recommended to have a least one GA account not impacted by the baseline policy (off course you will need to have a very strong and secure password and keep it in a safe place).