Skip to content

Enterprise Mobility + Security


Howdy folks,

Identity attacks have increased by 300% in the last year. To protect our customers from these ever-increasing attacks, Microsoft is embarking on a journey to rollout baseline protection. To that end, I’m excited to announce today the public preview of the first baseline policy to protect privileged Azure AD accounts.

This baseline policy will be available by default to all Azure AD tenants and will require MFA for privileged Azure AD accounts. Attackers who get control of privileged accounts can do tremendous damage, so it’s critical to protect these accounts first. The following Azure AD roles are covered by this policy:

  1. Global administrator
  2. SharePoint administrator
  3. Exchange administrator
  4. Conditional access administrator
  5. Security administrator

During the public preview phase, we’ve made it easy for you to opt into the baseline policy with a “one-click” experience. After general availability, we’re going to opt you into the policy by default but provide you the configuration to opt out at any time. We highly recommend you opt into the policy immediately.

We’ve heard from early adopters about this new policy, and wanted to share a piece of feedback with you that sums up their experience:

“I literally turned it on without telling my engineers, no one noticed the change because the experience is inline with their expectation of elevated privilege. At the same time, I can now show my security team with one easy configuration page that our elevated privilege access on these products are designed with security first in mind.”

Get started today

To enable baseline policy, follow the steps below:

  1. Sign-in to the Azure portal with a global administrator, security administrator, or conditional access administrator account
  2. Navigate to the Conditional access blade. You’ll see the baseline policy to require MFA for admins


  3. Click on the baseline policy
  4. To enable the policy immediately, select “Use policy immediately”

  5. Exclude users or groups as appropriate (Recommendation: Exclude one “emergency-access administrative account” to ensure you are not locked out of the tenant)
  6. Save the policy

To verify your baseline policy is set to go, sign in with one of the accounts in the directory role. You should see an MFA prompt.

Don’t forget to review the FAQ section to learn more about this new feature.

Tell us what you think

As always, we want to hear your feedback! Please let us know what you think of this new policy and how it’s working for you. We’re listening!

Best regards,

Alex Simons (Twitter: @Alex_A_Simons)

Director of Program Management

Microsoft Identity Division