This blog post will describe how to enable MFA for Global Admins using a Conditional Access Policy in Microsoft 365.
If there is one important thing you need to do after adding/creating a Global Administrator in your tenant is to Enable Multi-Factor Authentication. Because it’s all about security, not?
Create a Conditional Access Policy
Now go to https://portal.azure.com and sign in with a Global Administrator. The next step is to go to Azure Active Directory => Security => Conditional Access.
First step is to create our policy. Click on + New Policy.
Now let’s give our policy a name, in this example, we will name our policy “Enable MFA for Global Admins”. In the “Assignments“ section, you select “Select users and groups” => “Directory Roles“. Then choose “Global Administrator” from the drop-down menu.
Then go to the “Cloud apps or actions” section and select “Cloud apps“. Select “All cloud apps“. Click “Select“ to confirm.
In the “Access control“ section, you select “Grant Access” and then check “Require multi-factor authentication“. Confirm by clicking on “Select“.
The final step is to enable the policy by choosing “On” in the “Enable policy“ section. Then select “Create“.
Your policy is now created and shown in the overview.
Because we enabled MFA, every existing or new Global Administrator (limit your tenant to 5) will be asked to configure MFA the next time they sign-in.
NOTE: Microsoft recommends (minimum) that you enable MFA for the following roles:
- Authentication Administrator
- Billing administrator
- Conditional Access administrator
- Exchange administrator
- Global administrator
- Helpdesk administrator
- Password administrator
- Security administrator
- SharePoint administrator
- User administrator
Also, check out my previous post on how to assign groups to Azure AD roles here.