With the threefold increase in identity attacks over the past year, Microsoft is very keen on increasing its security measures to prevent such. Due to this, a new baseline security policy is being rolled out by Microsoft for Azure Active Directory and Office 365. This policy hasn’t been officially enabled so far, but you can view it as it is in public preview at the moment.
Once enabled, this security policy will by default make it necessary for any accounts that are a member of any of these privileged roles to go through multi-factor authentication.
● Exchange Administrator
● Sharepoint Administrator
● Global Administrator
● Conditional Access Administrator
● Security Administrator
You can easily learn more about this policy by navigating to the Conditional Access – Policies section in your Azure AD portal.
Despite being implemented under conditional access policies, baseline security policy doesn’t offer any customization whatsoever with the exception of users and groups. Unlike other conditional policies which are fully customizable if you have the premium license, this security policy is available for all users.
Though there aren’t many exceptions, you can choose to exclude at least one global admin account from all policies that come under conditional access. It is highly recommended in case of an emergency lockout from all other accounts. This account should not be used for daily tasks and have a very strong password stored somewhere very discreet. In addition to making the above excursions, you can also switch to Managed Service Identity and server principles with certificates for enforced security.
Owing to no customization offered in this new baseline security policy, it is being touted as mandatory at many places and this move is coming across as Microsoft forcing its users to go through this. That’s completely false, not only you can set up various exclusions within the policy, you can also opt out of policy before it is live by selecting the option Do not use policy.
Even those accounts which have been temporarily raised to a privileged role that baseline security policy may apply to them, have to go through multi-factor authentication for the time period. Also, Microsoft made some recent changes in conditional access which allows policies to be targeted at the directory roles such as user ends which are much wider than five main roles targeted by default by byline security policy.
Needless to say, Microsoft has been pushing its users to become more secure and it is hardly a surprise considering the increase in threats and lack of awareness amongst its users. As recent as last year, more than half of its users weren’t deploying multi-factor authentication even for their most crucial admin accounts. And all this, when it is one of the most recommended things to Office 365 subscribers and a general security recommendation of Microsoft. Office 365 is the most secure platform due to highly emphasis by Microsoft upon the security of its users.