Introduction
Attackers find it more challenging to access accounts when all administrative roles require multi-factor authentication (MFA). Compared to regular users, administrative roles have more permissions. Important devices and data are vulnerable to attack if any of those accounts are hacked.
1. Log in to https://entra.microsoft.com/
2. Expand Azure Active Directory
3. Select Protect & Secure, then select Conditional Access.
4. Click New policy and provide the policy name
5. Go to Assignments > Users and groups > Include > Select users and groups > check Directory roles., At a minimum, select the following roles: Billing admin, Conditional Access admin, Exchange admin, Global admin, Helpdesk admin, Security admin, SharePoint admin, and User admin (you can select all roles containing the word admin).
![Require multifactor authentication for administrative roles]()
6. Exclude Emergency access accounts from MFA
![Require multifactor authentication for administrative roles]()
7. Go to Cloud apps or actions > Cloud apps > Include > select All cloud apps (and don’t exclude any apps).
![Require multifactor authentication for administrative roles]()
8. Under Access controls > Grant > select Grant access > check Require multifactor authentication (and nothing else).
9. Create.
![Require multifactor authentication for administrative roles]()
Summary
We learned how to set up multifactor authentication for administrative roles in this tutorial. Please leave a comment in the comment box if you have any questions.