CA-02: Creating an Admin-Specific MFA Policy
Overview
This guide walks you through creating a Conditional Access policy that specifically targets administrative roles, ensuring administrators are always prompted for MFA regardless of other policies or conditions. This provides an additional layer of protection for your most privileged accounts.
Control ID: CA-02 Category: Conditional Access Severity: Critical License Required: Microsoft Entra ID P1 (included in Microsoft 365 Business Premium, E3, E5)
Why This Matters
Administrator accounts are prime targets for attackers because they provide extensive access to your tenant. Even if you have a baseline MFA policy for all users (CA-01), a dedicated admin policy ensures:
- No exceptions or bypasses for admin authentication
- Visibility into admin authentication events specifically
- Defense in depth - if the general policy is disabled, admins remain protected
- Stricter controls can be applied to admins without affecting all users
Prerequisites
Required Roles
You need one of the following Entra ID roles:
- Conditional Access Administrator (recommended - least privilege)
- Security Administrator
- Global Administrator
Required Licenses
- Microsoft Entra ID P1 or higher for each user with admin roles
- Included in: Microsoft 365 Business Premium, E3, E5, or standalone Entra ID P1/P2
Pre-Configuration Requirements
Before creating this policy, ensure:
- Emergency access accounts exist - At least 2 break-glass accounts are created (see PA-03 guide)
- Baseline MFA policy exists - CA-01 should be in place first
- Admin roles are documented - Know which roles exist in your tenant
Time Estimate
| Task | Duration |
|---|---|
| Policy creation | 10-15 minutes |
| Testing with admin accounts | 30 minutes |
| Total | 45-60 minutes |
Step-by-Step Instructions
Step 1: Navigate to Conditional Access
- Sign in to the Microsoft Entra admin center
- In the left navigation, expand Protection
- Select Conditional Access
- Click Policies in the submenu
Step 2: Create a New Policy
- Click + New policy at the top of the policies list
- Enter a descriptive name:
Require MFA for All Administrators
Step 3: Configure Users and Groups
- Under Assignments, click Users
- Under Include, select Select users and groups
- Check Directory roles
- Select the following administrative roles (at minimum):
Critical Roles (always include):
- Global Administrator
- Privileged Role Administrator
- Security Administrator
- Conditional Access Administrator
- Exchange Administrator
- SharePoint Administrator
- User Administrator
- Authentication Administrator
- Password Administrator
- Billing Administrator
- Compliance Administrator
- Intune Administrator
Additional Recommended Roles:
- Application Administrator
- Cloud Application Administrator
- Helpdesk Administrator
- License Administrator
- Groups Administrator
- Teams Administrator
- Under Exclude, click Users and groups
- Add your emergency access accounts
Step 4: Configure Target Resources
- Under Target resources, click Cloud apps
- Select All cloud apps under Include
Note: You can alternatively target only "Microsoft Admin Portals" if you want to be more specific, but "All cloud apps" provides broader protection.
Step 5: Configure Conditions
For admin MFA, do NOT configure conditions that would reduce enforcement:
- Locations: Leave unconfigured (admins should always require MFA)
- Device platforms: Leave unconfigured
- Client apps: Leave as default (all client apps)
Step 6: Configure Access Controls
- Under Access controls, click Grant
- Select Grant access
- Check Require multifactor authentication
- Click Select
Step 7: Enable the Policy
Since this policy targets admins who should already have MFA configured:
- Under Enable policy, select On
- Click Create
Alternative - Report-only first: If you are unsure about impact, start with "Report-only" for 1 day, review sign-in logs, then enable.
Covered Administrative Roles
The following roles should be included in this policy. These are the privileged roles that provide significant access to your tenant:
Tier 0 - Highest Privilege
| Role | Description |
|---|---|
| Global Administrator | Full access to all tenant settings |
| Privileged Role Administrator | Can manage role assignments |
| Security Administrator | Manages security features |
| Conditional Access Administrator | Manages CA policies |
Tier 1 - High Privilege
| Role | Description |
|---|---|
| Exchange Administrator | Manages Exchange Online |
| SharePoint Administrator | Manages SharePoint Online |
| User Administrator | Manages users and groups |
| Authentication Administrator | Manages authentication methods |
| Password Administrator | Resets passwords |
| Intune Administrator | Manages Intune/devices |
Tier 2 - Moderate Privilege
| Role | Description |
|---|---|
| Application Administrator | Manages app registrations |
| Cloud Application Administrator | Manages cloud apps |
| Helpdesk Administrator | Resets passwords for non-admins |
| Groups Administrator | Manages groups |
| Teams Administrator | Manages Teams settings |
| Billing Administrator | Manages subscriptions |
Verification Checklist
After enabling the policy, verify successful implementation:
Immediate Checks
- Policy appears in the Conditional Access policies list with status "On"
- All critical admin roles are selected in the Include section
- Emergency access accounts are listed in the exclusions
- No syntax errors or warnings appear on the policy
Admin Sign-in Validation
- Sign out and sign in with an account that has one of the targeted admin roles
- Verify MFA prompt appears immediately
- Complete MFA successfully
- Confirm access to admin portal is granted
Sign-in Log Validation
- Navigate to Entra admin center > Monitoring > Sign-in logs
- Filter by a user with an admin role
- Click on a recent sign-in and check the Conditional Access tab
- Verify your admin MFA policy appears with result "Success"
Emergency Account Validation
- Sign in with one emergency access account
- Verify MFA is NOT prompted (policy exclusion working)
- Document this test for audit purposes
Troubleshooting
Admin Not Prompted for MFA
Symptom: User with admin role is not prompted for MFA.
Solutions:
- Verify the specific admin role is selected in the policy
- Check if the user's role is assigned directly or through PIM (eligible roles may not trigger)
- Ensure the policy is set to "On" (not "Report-only")
- Use the "What If" tool to validate the policy applies
PIM Eligible Roles Not Triggering Policy
Symptom: Users with PIM eligible roles are not prompted for MFA.
Explanation: Directory role targeting in CA applies to active role assignments only. Users with eligible (not activated) PIM roles are not considered to have the role.
Solutions:
- This is expected behavior - users are protected once they activate
- Consider creating a separate policy for PIM-eligible users if needed
- Configure PIM to require MFA on activation (recommended approach)
Too Many Roles Selected
Symptom: Non-admin users are being prompted unexpectedly.
Solutions:
- Review which roles are selected in the policy
- Ensure only intentional admin roles are included
- Consider creating multiple policies for different admin tiers
Conflicting Policies
Symptom: The admin MFA policy is being overridden by another policy.
Solutions:
- Check all CA policies for conflicts
- Conditional Access uses "most restrictive wins" for access controls
- However, if another policy grants access without MFA to specific conditions, it may apply first
- Use the "What If" tool to see all applicable policies
Policy Configuration Summary
| Setting | Value |
|---|---|
| Policy Name | Require MFA for All Administrators |
| Users - Include | Directory roles: Global Admin, Security Admin, etc. |
| Users - Exclude | Emergency access accounts |
| Cloud Apps | All cloud apps |
| Conditions | None |
| Grant | Require multifactor authentication |
| Session | None |
| Enable Policy | On |
Advanced Configuration: Authentication Strength
For enhanced security, you can require specific MFA methods for admins:
Using Authentication Strength (Preview/GA)
- In the Grant controls, instead of "Require multifactor authentication"
- Select Require authentication strength
- Choose Phishing-resistant MFA or create a custom authentication strength
This enforces methods like:
- FIDO2 security keys
- Windows Hello for Business
- Certificate-based authentication
Note: This requires Entra ID P1 and users must have registered the required methods.
Related Controls
- CA-01: Require MFA for All Users (baseline policy)
- PA-03: Configure Emergency Access Accounts (prerequisite)
- PA-05: Require Phishing-Resistant MFA for Admins (advanced)
- DV-01: Require Compliant Devices for Admin Access (additional protection)