Azure Active Directory

Enable MFA for Global Admins using a Conditional Access Policy.

This blog post will describe how to enable MFA for Global Admins using a Conditional Access Policy in Microsoft 365.

If there is one important thing you need to do after adding/creating a Global Administrator in your tenant is to Enable Multi-Factor Authentication. Because it’s all about security, not?

Create a Conditional Access Policy

Now go to https://portal.azure.com and sign in with a Global Administrator. The next step is to go to Azure Active Directory => Security => Conditional Access.

enable-mfa-for-global-admins-using-a-conditional-access-policy

First step is to create our policy. Click on + New Policy.

enable-mfa-for-global-admins-using-a-conditional-access-policy

Now let’s give our policy a name, in this example, we will name our policy “Enable MFA for Global Admins”. In the “Assignments section, you select “Select users and groups” => “Directory Roles“. Then choose “Global Administrator” from the drop-down menu.

enable-mfa-for-global-admins-using-a-conditional-access-policy

Then go to the “Cloud apps or actions” section and select “Cloud apps“. Select “All cloud apps“. Click “Select to confirm.

In the “Access control section, you select “Grant Access” and then check “Require multi-factor authentication“. Confirm by clicking on “Select“.

enable-mfa-for-global-admins-using-a-conditional-access-policy

The final step is to enable the policy by choosing “On” in the “Enable policy section. Then select “Create“.

enable-mfa-for-global-admins-using-a-conditional-access-policy

Your policy is now created and shown in the overview.

enable-mfa-for-global-admins-using-a-conditional-access-policy

Because we enabled MFA, every existing or new Global Administrator (limit your tenant to 5) will be asked to configure MFA the next time they sign-in.

enable-mfa-for-global-admins-using-a-conditional-access-policy

NOTE: Microsoft recommends (minimum) that you enable MFA for the following roles:

  • Authentication Administrator
  • Billing administrator
  • Conditional Access administrator
  • Exchange administrator
  • Global administrator
  • Helpdesk administrator
  • Password administrator
  • Security administrator
  • SharePoint administrator
  • User administrator

Also, check out my previous post on how to assign groups to Azure AD roles here.

Nicky De Westelinck

Nicky De Westelinck is a Modern Workplace Expert for Arxus with several years of experience in Microsoft 365. His main focus is Microsoft Intune and Microsoft 365 Administration. He is also a Microsoft Certified Trainer since 2021.

View all posts by Nicky De Westelinck →

Leave a Reply

Your email address will not be published. Required fields are marked *