Microsoft introduces new access policies in Entra to boost MFA usage

As part of a broader initiative to strengthen security, Microsoft is rolling out Microsoft-managed Conditional Access policies in Entra ID (formerly Azure Active Directory) to increase the use of multifactor authentication (MFA) for enterprise accounts.

Microsoft-managed Entra ID Conditional Access policies

Microsoft Entra Conditional Access policies are built with the current threat landscape in mind and with the objective to “automatically protect tenants based on risk signals, licensing, and usage.”

Microsoft Entra Conditional Access. (Source: Microsoft)

The first three policies are MFA-related, requiring MFA:

• For admins signing into Microsoft admin portals (Azure, Microsoft 365, and Exchange)
• For per-user MFA users accessing all cloud apps
• For high-risk sign-ins by all users (this policy is only available to Microsoft Entra ID Premium Plan 2 customers)

The policies will rolled out and visible for 90 days before be turned on by default and customers will be able to adjust them as preferred or disable them altogether.

Microsoft will start rolling them out next week to eligible tenants, who will have 90 days to customize or disable them before they are implemented.

“You can view the policies and their impact using the new policy view user experience, which includes a policy summary, alerts, recommended actions, and a policy impact summary. You can also monitor them using sign-in and audit logs,” said Alex Weinert, VP director of identity security at Microsoft.

“You can customize the policies by excluding users, groups, or roles that you want to be exceptions, such as emergency and break glass accounts. If you require more extensive customizations, you can clone a policy and then make as many changes as you want.”

Microsoft says that additional policies – including customized ones for specific organizations – will be introduced at a later date.

The power of security by default

A decade ago, Microsoft first started encouraging and, over time, enforcing MFA as a standard practice among consumer users. This strategic push not only raised awareness but also led to remarkable success in enhancing the security of consumer accounts.

Building on this achievement, Microsoft decided to extend the implementation of MFA to enterprise users.

“But we found the going much harder in the commercial space because we weren’t in control of account policies—customers were. Not only did identity admins fear user friction the way we had, but they were also grappling with budget constraints and talent shortages, as well as security and technical backlogs (none of this has gotten easier!). If we wanted to help our enterprise customers adopt multifactor authentication, we’d need to do more,” Weinert noted.

They’ve tried several approaches, including making MFA available for free to all customers, but success was limited. In 2019, they tried to exploit the power of security-by-default, and introduced security defaults.

“Today, many customers use security defaults, but many others need more granular control than security defaults offer. Customers may not be in a position to disable legacy authentication for certain accounts (a requirement for security defaults), or they may need to make exceptions for certain automation cases. Conditional Access does a great job here, but often customers aren’t sure where to start. They’ve told us they want a clear policy recommendation that’s easy to deploy but still customizable to their specific needs. And that’s exactly what we’re providing with Microsoft-managed Conditional Access policies,” Weinert explained.