Skip to main content

IBP‑IDENTITY – All Apps: [Require MFA] for [All Admin Roles]

🎯 Purpose

✅ Require multi‑factor authentication (MFA) for all administrative roles across all Microsoft cloud applications.
➡️ Ensures that privileged identities cannot authenticate using password‑only methods, strengthening your Essential Eight Maturity Level 2–3 security baseline.

👥 Who is affected

Users: All administrative roles (130+ privileged roles)
🚫 Exclusions: One exception group (typically Break‑Glass / Emergency Access)

➡️ All privileged accounts must complete MFA, with only emergency access accounts excluded.

☁️ What access is protected

Applications: All cloud applications
Client types: Browser, mobile, desktop, CLI tools, PowerShell, modern auth, legacy protocols (where applicable)

➡️ MFA is required for all administrative actions, in every portal, tool, and app.

🔐 How MFA is enforced

✅ MFA is required for every admin sign‑in
✅ Enforced using the built‑in Conditional Access MFA control
❌ No Authentication Strength policies applied (standard MFA only)

➡️ Password‑only or single‑factor admin sign‑ins are blocked.

ℹ️ Note

This policy includes one of the most complete administrative role sets possible, covering:

  • Global Admin

  • Security/Admin/Conditional Access roles

  • All Azure / Entra roles

  • App admin roles

  • Privileged Identity Management roles

  • Application Owners

  • Billing, Helpdesk, and Authentication admins

  • Directory writers

  • And 100+ more

This is a highly robust privileged identity control.

⚙️ What this policy does NOT enforce

🚫 Device compliance
🚫 Location restrictions
🚫 Platform restrictions
🚫 User risk
🚫 Sign‑in risk
🚫 Session controls
🚫 Authentication Strength requirements

➡️ The control is singular and absolute: require MFA for every admin sign‑in.

🟢 Policy status

Enabled
➡️ Actively enforcing MFA for all administrative roles.

📘 Security Alignment

✅ Strongly aligns with Microsoft privileged access hardening
➡️ Meets Essential Eight Maturity Level 2 requirements for secure authentication
ℹ️ Forms a core foundation for Maturity Level 3, where phishing‑resistant MFA is expected.

📘 Practical Interpretation (Executive‑Friendly)

This Conditional Access policy ensures that:

✅ Every administrator
✅ Accessing any Microsoft cloud application
✅ Must authenticate using multi‑factor authentication

This eliminates password‑only admin access, reduces privileged account compromise risk, and forms a core part of a secure identity perimeter.

Related Articles
E8 MFA-M1
IBP‑IDENTITY – All Apps: [Limit Persistent Browser Sessions] for [Administrators]
IBP-IDENTITY-All Apps: [Require MFA] for [All Guests & Externals]
IBP – Require Managed Device for MFA Registration
IBP – Require Managed Devices
Did this answer your question?