MFA for Azure admins will be soon enforced

Jean-Yves Moschetto (ANVOLE) | 05 Mar, 2019 | MFA, Azure, Office 365 | Azure, Office 365, Active Directory | View Counts (3957) |Return|
0 ( 3 reviews)


Identity attacks have increased by 300% in the last year.
Many IT guys use their standard AD account also as Azure AD administrator.
If your company is a MS Cloud Service Provider (CSP), by default it can delegate "general Admin" role on Customer tenant.


That means that:

1/ You will harden IT admins workstations with BitLocker and other policies and tools

2/ Your tenant will have to be MFA compliant, for your company and customers security

3/ If your daily account is also admin, think about creating a dedicated admin account with MFA, and remove all privileges from your daily account

Good news: MFA for admins do not require additional E3 or E5 license.



MFA for admins can simply be enforced now.

Go to Azure Portal / Azure Active Directory / Enterprise applications / Conditional Access

When you detail policy "Baseline policy: Require MFA for admins", you see what we are talking about MFA02

Of course you can also set MFA for admins one by one here:
but that is not a global enforcement policy (hackers are always looking for weak points).


MFA user side

Once MFA for admins is enforced, it can be used with mobile confirmation, SMS confirmation.

For this example, we will use mobile application (it's easier using Internet for confirmation, rather than SMS or phone calls when you are in a datacenter)

For each admin user, from a PC, goto : https://aka.ms/mfasetup , or directly here: https://account.activedirectory.windowsazure.com/proofup.aspx?proofup=1 , authenticate
  • Select “ what's your preferred option? ” : Use verification code from app or token
  • Check box “Authenticator app or Token”
  • Press button “Set up Authenticator app”


You will see the beyond screen:

Switch to your mobile phone, and then, install the Microsoft Authenticator for Windows Phone, Android or iOS , or through your mobile store
On android, launch app "Play Store"
Type "Microsoft Authenticator"
Select app, then

Click on "..." button then "Add account" or "+" button MFA06
Select "Professional account" MFA07
Then, scan the previous QR code displayed on your PC
The account will automatically be added on your phone
Switch back to your PC, click from the widows with QR Code MFA09
You should receive now a notification on your mobile MFA10

You will see your mobile displayed; In our case “S41”

"Et voilà" MFA12


MFA authentication

Enter your account and password MFA13
You will see MFA screen coming on your PC MFA14
Switch to your mobile Authenticator
Click on button
"Et voilà", you used MFA for privileged Azure AD accounts !!!



ADDS Forest and Domain Functional Levels

Regularly customers ask "why should I raise ADDS functional level"? Here are the anwsers

How to sign XML file with PowerShell

It often happened in my developments to have to protect my sources, and be sure that the configurati...

Hard to replicate Exchange Connectors

When you have multiple Microsoft Exchange Servers receiving emails, you have to create exactly the s...


Suite au succès de notre afterwork sécurité de décembre, venez nous rejoindre à l'afterwork RGPD...

WUAUCLT no more working on Windows 10? Please replace with USOCLIENT.EXE

WUAUCLT no more working on Windows 10 and Server 2016? Please replace with USOCLIENT.EXE