Microsoft has rolled out so-called Microsoft-managed conditional access policies in November 2023. These managed policies are intended to cover the most important identity security scenarios within Microsoft Entra ID.

These Microsoft-managed conditional access policies are intended to be a sort of alternative to Security Defaults within tenants that do not have Microsoft Entra ID Premium licenses.

In total, there are three policies that are deployed in Report-only mode in the first phase.

  • Require multifactor authentication for admin portals is a policy that requires MFA to access admin portals within a Microsoft cloud environment. This includes the Azure portal, Exchange admin center, Microsoft 365 admin center, Microsoft 365 Defender portal, Microsoft Entra admin center, Microsoft Intune admin center, and Microsoft Purview compliance portal. Therefore, any access to any of these portals will automatically trigger an MFA request regardless of the roles assigned to the account.
  • Require multifactor authentication for per-user multifactor authentication users is a policy that targets users who have MFA set up on their account within the legacy MFA portal, the per-user scenario used primarily in the past. This policy requires MFA on these accounts for all cloud applications. It is therefore the equivalent of per-user MFA and also preparation for September 2025 when the legacy MFA portal will be deprecated.
  • Require multifactor authentication for high-risk sign-ins targets only tenants with Microsoft Entra ID Premium Plan 2 licenses. This is because it uses sign-in risk detection available in Microsoft Entra ID Protection and enforces multifactor authentication for all high-risk sign-ins. This policy targets all users and all applications when high risk sign-in activity is detected.

Automatic activation of Microsoft-managed conditional access policies

The above conditional access policies have been created since November on all tenants that are licensed with at least Microsoft Entra ID Premium Plan 1 and therefore eligible to use conditional access policies. The policies are initially created in report-only mode.

If an organization already has its own conditional access policy that equivalently covers any of the three scenarios above, that Microsoft-managed policy is not created. Therefore, you may not see any Microsoft-managed policies in your tenant. Or perhaps you will only see one or two, not all three.

From the moment the policies appear in your tenant, you have 90 days to manually turn the policies off or on. If you take no action, the policies will automatically switch from the report-only mode to enforced (On) mode after 90 days and thus begin to be applied and enforced.

If you manually turn the policies off, they will disappear from the tenant after some time. They cannot be removed manually though.

Review the Microsoft-managed conditional access policies

For most tenants, the three-month report-only mode will end these days. If you haven’t already done so and may not have noticed the new policies at all, it’s time to take action. Otherwise, these policies will be automatically activated (if they haven’t already) and will begin to be enforced shortly.

Automatic enforcement is good for tenants that don’t have regular administration and thus no one has noticed the policies in three months. However, if you regularly take care of your tenant’s security, it’s better to keep things under control and act proactively.

In any case, I recommend looking at the conditional access policies in Microsoft Entra ID and checking what state your policies are in. If you haven’t covered any of the three scenarios above, I definitely recommend activating the policies and possibly just adjusting them according to your usual practices and, for example, putting your break-glass accounts in exclusions.