CA-02: Creating an Admin-Specific MFA Policy

Overview

This guide walks you through creating a Conditional Access policy that specifically targets administrative roles, ensuring administrators are always prompted for MFA regardless of other policies or conditions. This provides an additional layer of protection for your most privileged accounts.

Control ID: CA-02 Category: Conditional Access Severity: Critical License Required: Microsoft Entra ID P1 (included in Microsoft 365 Business Premium, E3, E5)

Why This Matters

Administrator accounts are prime targets for attackers because they provide extensive access to your tenant. Even if you have a baseline MFA policy for all users (CA-01), a dedicated admin policy ensures:

  • No exceptions or bypasses for admin authentication
  • Visibility into admin authentication events specifically
  • Defense in depth - if the general policy is disabled, admins remain protected
  • Stricter controls can be applied to admins without affecting all users

Prerequisites

Required Roles

You need one of the following Entra ID roles:

  • Conditional Access Administrator (recommended - least privilege)
  • Security Administrator
  • Global Administrator

Required Licenses

  • Microsoft Entra ID P1 or higher for each user with admin roles
  • Included in: Microsoft 365 Business Premium, E3, E5, or standalone Entra ID P1/P2

Pre-Configuration Requirements

Before creating this policy, ensure:

  1. Emergency access accounts exist - At least 2 break-glass accounts are created (see PA-03 guide)
  2. Baseline MFA policy exists - CA-01 should be in place first
  3. Admin roles are documented - Know which roles exist in your tenant

Time Estimate

TaskDuration
Policy creation10-15 minutes
Testing with admin accounts30 minutes
Total45-60 minutes

Step-by-Step Instructions

Step 1: Navigate to Conditional Access

  1. Sign in to the Microsoft Entra admin center
  2. In the left navigation, expand Protection
  3. Select Conditional Access
  4. Click Policies in the submenu

Step 2: Create a New Policy

  1. Click + New policy at the top of the policies list
  2. Enter a descriptive name: Require MFA for All Administrators

Step 3: Configure Users and Groups

  1. Under Assignments, click Users
  2. Under Include, select Select users and groups
  3. Check Directory roles
  4. Select the following administrative roles (at minimum):

Critical Roles (always include):

  • Global Administrator
  • Privileged Role Administrator
  • Security Administrator
  • Conditional Access Administrator
  • Exchange Administrator
  • SharePoint Administrator
  • User Administrator
  • Authentication Administrator
  • Password Administrator
  • Billing Administrator
  • Compliance Administrator
  • Intune Administrator

Additional Recommended Roles:

  • Application Administrator
  • Cloud Application Administrator
  • Helpdesk Administrator
  • License Administrator
  • Groups Administrator
  • Teams Administrator
  1. Under Exclude, click Users and groups
  2. Add your emergency access accounts

Step 4: Configure Target Resources

  1. Under Target resources, click Cloud apps
  2. Select All cloud apps under Include

Note: You can alternatively target only "Microsoft Admin Portals" if you want to be more specific, but "All cloud apps" provides broader protection.

Step 5: Configure Conditions

For admin MFA, do NOT configure conditions that would reduce enforcement:

  • Locations: Leave unconfigured (admins should always require MFA)
  • Device platforms: Leave unconfigured
  • Client apps: Leave as default (all client apps)

Step 6: Configure Access Controls

  1. Under Access controls, click Grant
  2. Select Grant access
  3. Check Require multifactor authentication
  4. Click Select

Step 7: Enable the Policy

Since this policy targets admins who should already have MFA configured:

  1. Under Enable policy, select On
  2. Click Create

Alternative - Report-only first: If you are unsure about impact, start with "Report-only" for 1 day, review sign-in logs, then enable.


Covered Administrative Roles

The following roles should be included in this policy. These are the privileged roles that provide significant access to your tenant:

Tier 0 - Highest Privilege

RoleDescription
Global AdministratorFull access to all tenant settings
Privileged Role AdministratorCan manage role assignments
Security AdministratorManages security features
Conditional Access AdministratorManages CA policies

Tier 1 - High Privilege

RoleDescription
Exchange AdministratorManages Exchange Online
SharePoint AdministratorManages SharePoint Online
User AdministratorManages users and groups
Authentication AdministratorManages authentication methods
Password AdministratorResets passwords
Intune AdministratorManages Intune/devices

Tier 2 - Moderate Privilege

RoleDescription
Application AdministratorManages app registrations
Cloud Application AdministratorManages cloud apps
Helpdesk AdministratorResets passwords for non-admins
Groups AdministratorManages groups
Teams AdministratorManages Teams settings
Billing AdministratorManages subscriptions

Verification Checklist

After enabling the policy, verify successful implementation:

Immediate Checks

  • Policy appears in the Conditional Access policies list with status "On"
  • All critical admin roles are selected in the Include section
  • Emergency access accounts are listed in the exclusions
  • No syntax errors or warnings appear on the policy

Admin Sign-in Validation

  1. Sign out and sign in with an account that has one of the targeted admin roles
  2. Verify MFA prompt appears immediately
  3. Complete MFA successfully
  4. Confirm access to admin portal is granted

Sign-in Log Validation

  1. Navigate to Entra admin center > Monitoring > Sign-in logs
  2. Filter by a user with an admin role
  3. Click on a recent sign-in and check the Conditional Access tab
  4. Verify your admin MFA policy appears with result "Success"

Emergency Account Validation

  1. Sign in with one emergency access account
  2. Verify MFA is NOT prompted (policy exclusion working)
  3. Document this test for audit purposes

Troubleshooting

Admin Not Prompted for MFA

Symptom: User with admin role is not prompted for MFA.

Solutions:

  1. Verify the specific admin role is selected in the policy
  2. Check if the user's role is assigned directly or through PIM (eligible roles may not trigger)
  3. Ensure the policy is set to "On" (not "Report-only")
  4. Use the "What If" tool to validate the policy applies

PIM Eligible Roles Not Triggering Policy

Symptom: Users with PIM eligible roles are not prompted for MFA.

Explanation: Directory role targeting in CA applies to active role assignments only. Users with eligible (not activated) PIM roles are not considered to have the role.

Solutions:

  1. This is expected behavior - users are protected once they activate
  2. Consider creating a separate policy for PIM-eligible users if needed
  3. Configure PIM to require MFA on activation (recommended approach)

Too Many Roles Selected

Symptom: Non-admin users are being prompted unexpectedly.

Solutions:

  1. Review which roles are selected in the policy
  2. Ensure only intentional admin roles are included
  3. Consider creating multiple policies for different admin tiers

Conflicting Policies

Symptom: The admin MFA policy is being overridden by another policy.

Solutions:

  1. Check all CA policies for conflicts
  2. Conditional Access uses "most restrictive wins" for access controls
  3. However, if another policy grants access without MFA to specific conditions, it may apply first
  4. Use the "What If" tool to see all applicable policies

Policy Configuration Summary

SettingValue
Policy NameRequire MFA for All Administrators
Users - IncludeDirectory roles: Global Admin, Security Admin, etc.
Users - ExcludeEmergency access accounts
Cloud AppsAll cloud apps
ConditionsNone
GrantRequire multifactor authentication
SessionNone
Enable PolicyOn

Advanced Configuration: Authentication Strength

For enhanced security, you can require specific MFA methods for admins:

Using Authentication Strength (Preview/GA)

  1. In the Grant controls, instead of "Require multifactor authentication"
  2. Select Require authentication strength
  3. Choose Phishing-resistant MFA or create a custom authentication strength

This enforces methods like:

  • FIDO2 security keys
  • Windows Hello for Business
  • Certificate-based authentication

Note: This requires Entra ID P1 and users must have registered the required methods.


Related Controls

  • CA-01: Require MFA for All Users (baseline policy)
  • PA-03: Configure Emergency Access Accounts (prerequisite)
  • PA-05: Require Phishing-Resistant MFA for Admins (advanced)
  • DV-01: Require Compliant Devices for Admin Access (additional protection)

Additional Resources