Microsoft has auto rolled out a set of “Microsoft-Managed” Conditional Access policies in the Azure Entra tenants (Entra ID Premium 1 and Premium 2 tenants.) to secure them by default. Azure Administrators are required to review the rolled out Conditional Access policies and take necessary action before these policies take effect in the tenant.
Enabling multifactor authentication is a top recommendation from Microsoft to secure the Azure AD tenants, hence Microsoft has designed and rolled out the “Microsoft-Managed” Conditional Access policies directly in the Azure Entra tenants. The CA policies are currently in “Report-Only” mode (Policy is evaluated but not enforced) till end of January 2024 providing Azure administrators enough time to fine-tune these policies and turn them “On”. The Administrators do have the option to turn the policies “Off” completely if decided.
Please see the following table for list of CA policies deployed, corresponding description and the applicable tenants.
Conditional access policy |
Eligible tenants |
policy Description |
Require multifactor authentication for admin portals |
Tenants with Entra ID Premium P1 and P2 licenses where security defaults are not enabled. |
Enforce MFA to the Accounts assigned to the Admin roles in Microsoft Admin portals. |
Require multifactor authentication for per-user multifactor authentication users |
Tenants with Entra ID Premium P1 and P2 licenses where security defaults are not enabled and there are less than 500 per-user MFA enabled/enforced users. |
Requires MFA for all cloud apps. |
Require multifactor authentication for high-risk sign-ins |
Tenants with Entra ID Premium P2 licenses where there are enough P2 licenses to enable the policy for all users. |
Requires MFA and reauthentication when Entra ID detects high-risk sign-ins. |
Where should Administrators check for the “Microsoft-Managed” Conditional Access policies?
Administrators can login to the Entra ID portal (https://entra.microsoft.com) and navigate through Protection → Conditional Access → Policies. The auto-rolled out CA policies will have the tag “MICROSOFT-MANAGED” making it easy to differentiate them from other custom policies created by the Azure Administrators.
Can administrator opt-out their tenant from the “Microsoft-Managed” Conditional Access policies?
No, Administrators do not have the option to opt-out their tenant from the “Microsoft-Managed” CA policies.
What will happen if the Administrator has already deployed a custom Conditional Access policies similar to the “Microsoft-Managed” CA policies?
If Administrators have already deployed custom Conditional Access Policies similar to the “Microsoft-Managed” policies and decided to leave both policies “ON,” the most restrictive policy will be applied to the scope of users defined in the policy.
What will happen if the Administrators do not act on the “Microsoft-Managed” Conditional Access policies?
The Microsoft-Managed Conditional access policies are currently in “Report-Only” mode and expected to turn “ON” automatically in the first week of February 2024 or even sooner. Once the Policies get turned “ON,” the scoped users will be prompted for Multi-factor authentication to access the corresponding resources based on the policies applied. The Administrators can refine these policies based on the Organizational requirements, turn them “On” or “off” completely. If Administrators do not act on these policies, they will be turned “ON” automatically with the default conditions.
Do Administrations have access to remove the “Microsoft-Managed” Conditional Access policies?
No, Administrators will not have access to remove the “Microsoft-Managed” CA policies. They will have access only to edit the Policies, turn them “Off” or “On.”
Helient strongly recommends Azure Administrators review the Microsoft-Managed Conditional Access policies as a high priority and apply to the tenant. If you would like more information or assistance on Conditional Access policies best practices, please contact our Industry-leading experts at service@helient.com.