MFA For Admin Baseline needs more granular settings
We were introduced to the new securescore.com items recently as we started working with MFA & Conditional access policies to help better protect our workforce at large, & the very first item on our secure score checklist was "Enable MFA For admins" using the baseline to improve our score.
Yesterday we tried switching this on & basically had to disable it due to impacts it had on mail enabled admin accounts & causing headaches with Outlook & Mobile device email by forcing those end points to have to re-authenticate daily to receive email.
We would like to propose adding more granular controls to the baseline since in it's current form it only allows us to exclude users.
As we see this the MFA for Admins should be able to allow us the granularity to enforce only for browser sessions & allow bypass ability for Mobile & Outlook apps (considering we are being advised to move away from app passwords & use modern authentication moving forward this seems like it should have already been thought of)
it seems to make sense to allow Administrators the ability to shape tis baseline policy with the ability to set geolocations, & trusted IP ranges like we can for a custom conditional access policy so we are not unintentionally leaving room for missed support requests that may come into a global admin mailbox.