Microsoft-managed policies

As mentioned in the Microsoft Digital Defense Report in October 2023

...threats to digital peace have reduced trust in technology and highlighted the urgent need for improved cyber defenses at all levels...

...at Microsoft, our more than 10,000 security experts analyze over 65 trillion signals each day... driving some of the most influential insights in cybersecurity. Together, we can build cyber resilience through innovative action and collective defense.

As part this work we're making Microsoft-managed policies available in Microsoft Entra tenants around the world. These simplified Conditional Access policies take action to require multifactor authentication, which a recent study finds can reduce the risk of compromise by greater than 99%.

Administrators with at least the Conditional Access Administrator role assigned find these policies in the Microsoft Entra admin center under Protection > Conditional Access > Policies.

You can edit the state of a policy and what identities the policy should exclude. We recommend excluding your break-glass or emergency access accounts from managed policies just like other Conditional Access policies. Consider duplicating these policies if you need to make more changes than what's allowed in the Microsoft-managed policies.

Microsoft enables these policies after no less than 90 days after they're introduced in your tenant if they're left in the Report-only state. You can turn these policies on sooner, or opt out by setting the policy state to Off. Customers are notified via emails and Message center posts 28 days before the policies are enabled.

These Microsoft-managed policies allow administrators to make simple modifications like excluding users or turning them from report-only mode to on or off. Organizations can't rename or delete any Microsoft-managed policies. As Administrators get more comfortable with Conditional Access policy, they might choose to duplicate the policy to make custom versions.

As threats evolve over time, Microsoft might change these policies in the future to take advantage of new features, functionality, or to improve their function.

• Block legacy authentication
• Block device code flow
• Multifactor authentication for admins accessing Microsoft Admin portals
• Multifactor authentication for per-user multifactor authentication users

This policy blocks sign-in attempts using legacy authentication and legacy authentication protocols. These authentications might come from older clients like Office 2010, or clients that use protocols like IMAP, SMTP, or POP3.

Based on Microsoft's analysis more than 99 percent of password spray attacks use these legacy authentication protocols. These attacks would stop with basic authentication disabled or blocked.

This policy blocks device code flow, where a user initiates authentication on one device, completes on another, and their token is sent back to the original device. This type of authentication is common where users can't enter their credentials, like smart TVs, Microsoft Teams Room devices, IoT devices, or printers.

Device code flow is infrequently used by customers, but is frequently used by attackers. Enabling this Microsoft-managed policy for your organization helps remove this attack vector.

This policy covers 14 admin roles that we consider to be highly privileged, who are accessing the Microsoft Admin Portals, and requires them to perform multifactor authentication.

This policy targets Microsoft Entra ID P1 and P2 tenants where security defaults aren't enabled.

This policy covers users per-user MFA, a configuration that Microsoft no longer recommends. Conditional Access offers a better admin experience with many extra features. Consolidating all multifactor authentication policies in Conditional Access can help you be more targeted in requiring multifactor authentication, lowering end user friction while maintaining security posture.

This policy targets:

• Organizations with Microsoft Entra ID P1 and P2 licensed users
• Organizations where security defaults aren't enabled
• Organizations with less than 500 per-user MFA enabled or enforced users

To apply this policy to more users, duplicate it and change the assignments.

The following policies are available for when you upgrade from using security defaults.

• Block legacy authentication
• Require multifactor authentication for Azure management
• Require multifactor authentication for admins
• Require multifactor authentication for all users

This policy blocks legacy authentication protocols from accessing applications. Legacy authentication refers to an authentication request made by:

• Clients that don't use modern authentication (for example, an Office 2010 client)
• Any client that uses older mail protocols such as IMAP, SMTP, or POP3
• Any sign-in attempt using legacy authentication.

Most observed compromising sign-in attempts come from legacy authentication. Since legacy authentication doesn't support multifactor authentication, an attacker can bypass your multifactor authentication requirements by using an older protocol.

This policy covers all users when they're trying to access various Azure services managed through the Azure Resource Manager API including:

• Azure portal
• Microsoft Entra admin center
• Azure PowerShell
• Azure CLI

When trying to access any of these resources, the user is required to complete multifactor authentication before they can gain access.

This policy covers any user with one of the admin roles we consider to be highly privileged:

• Global Administrator
• Application Administrator
• Authentication Administrator
• Billing Administrator
• Cloud Application Administrator
• Conditional Access Administrator
• Exchange Administrator
• Helpdesk Administrator
• Password Administrator
• Privileged Authentication Administrator
• Privileged Role Administrator
• Security Administrator
• SharePoint Administrator
• User Administrator

Because of the power these highly privileged accounts have, they're required to use multifactor authentication whenever they sign into any application.

This policy covers all users in your organization and requires them to use multifactor authentication whenever they sign in. In most cases, the session persists on the device and users don't have to complete multifactor authentication when they interact with another application.

The managed policy and the sign-in logs are the two places where you can see the effect of these policies on your organization.

Review the Policy impact on sign-ins section of the managed policy to see a summary of the effect of the policy in your environment.

Analyze the Microsoft Entra sign-in logs to see specific details about how the policies affect real sign-in activity.

1. Sign in to the Microsoft Entra admin center as at least a Reports Reader.
2. Browse to Identity > Monitoring & health > Sign-in logs.
3. Use some or all of the following filters:
   • Correlation ID when you have a specific event to investigate.
   • Conditional Access to see policy failure and success.
   • Username to see information related to specific users.
   • Date scoped to the time frame in question.
4. Select a specific sign-in event, then select Conditional Access.
   • To investigate further, select the Policy Name to drill down into the configuration of the policies.
5. Explore the other tabs to see the client user and device details that were used for the Conditional Access policy assessment.

Conditional Access is a Microsoft Entra feature that allows organizations to enforce security requirements when accessing resources. Conditional Access is commonly used to enforce multifactor authentication, device configuration, or network location requirements.

These policies can be thought of as logical if then statements.

If the assignments (users, resources, and conditions) are true, then apply the access controls (grant and/or session) in the policy. If you're an administrator, who wants to access one of the Microsoft admin portals, then you must perform multifactor authentication to prove it's really you.

Administrators might choose to make further changes to these policies by duplicating them using the Duplicate button in the policy list view. This new policy can be configured in the same way as any other Conditional Access policy with starting from a Microsoft recommended position. Be careful that you don't inadvertently lower your security posture with those changes.

• Global Administrator
• Application Administrator
• Authentication Administrator
• Billing Administrator
• Cloud Application Administrator
• Conditional Access Administrator
• Exchange Administrator
• Helpdesk Administrator
• Password Administrator
• Privileged Authentication Administrator
• Privileged Role Administrator
• Security Administrator
• SharePoint Administrator
• User Administrator

Multifactor authentication completed using external authentication methods satisfies the MFA requirements of the Microsoft-managed policies.

When multifactor authentication is completed via a federated identity provider (IdP), it might satisfy Microsoft Entra ID MFA requirements depending on your configuration. For more information, see Satisfy Microsoft Entra ID multifactor authentication (MFA) controls with MFA claims from a federated IdP.

Custom controls don't satisfy multifactor authentication claim requirements.

• Deploy other commonly used policies from templates