Microsoft-managed Conditional Access policies have been designed as a broader initiative by Microsoft to strengthen the security of Microsoft 365 tenants for those eligible for Conditional Access.
Not to be mistaken for Security Defaults, Microsoft-managed conditional access policies offer specific securities based on Microsoft’s deep understanding of the current threat landscape. Security Defaults on the other hand offers strict security without any possible exception, forcing users to the premium Entra subscription model.
As far as we know, based on a recent blog announcement, three new Conditional Access policies will be automatically created in all eligible tenants with the tag Microsoft managed. The policies will be configured as follows:
- Name: Require multifactor authentication for admin portals
- Scope: All customers
- Status: Microsoft Entra ID P1 and P2 tenants with Security Defaults turned off.
- Name: Require multifactor authentication for per-user multifactor authentication users
- Scope: Microsoft Entra ID P1 and P2 tenants with Security Defaults Off and less than 500 per-user MFA-enabled users.
- Status: Report-only
- Name: Require multifactor authentication for high-risk sign-ins
- Scope: Microsoft Entra ID P2 tenants where there are enough licenses for each user.
- Status: Report-only
From the time they are created, administrators will have 90 days to either customise or disable these policies at their own discretion. After that time, each policies will be automatically turned on! It is my recommendation that you disable these policies and recreate your own, ensuring that you achieve the goal of each of the above policies within your own. Some recommended policies that would cover these and provide better protection would include:
- Require MFA for all users.
- Require Strong Auth for all directory roles.
- Block high-risk sign-ins.
- Require device compliance.
Of course, just to be clear, I am not recommending you disable these policies without having already covered these bases in your existing policies. I am recommending you disable them as they may interfere with any BAU exclusions or break-glass exclusions you already have in place. Learn how to protection your break-glass accounts from rogue Conditional Access policies here.
Disable Microsoft-managed Conditional Access policies
Use these steps to disable the Microsoft-managed Conditional Access policies:
- Login to entra.microsoft.com
- Under Protection select Conditional Access > Policies.
- Select the Microsoft-managed policy you wish to disable.
- Under State, click Edit and turn off the policy.