CA-02CriticalRecommended Secure
Require MFA for All Administrators
Conditional Access control for Microsoft 365 and Entra ID
Why This Control Matters
Administrator accounts are prime targets for attackers. Even if MFA is required for all users, a dedicated policy for admins ensures they cannot bypass MFA under any condition and provides visibility into admin authentication.
Expected State
When this control is compliant, your tenant should meet these criteria:
- 1A Conditional Access policy targets the Directory Roles condition
- 2Policy includes all privileged administrator roles
- 3MFA is required on every sign-in (not just from untrusted locations)
Enforcement
Default Mode
Advisory
Alerts on deviations but does not make changes
Auto-Remediation
Available
Creates a Conditional Access policy requiring MFA for all admin roles
Ready to implement this control?
TrueConfig continuously monitors your Microsoft 365 tenant for compliance with this and 50+ other security controls.