Baseline Policy: Require MFA for Admins (Preview) Needs to exclude groups
Baseline Policy: Require MFA for Admins (Preview) needs to be able to exclude groups.
This policy does not pay attention to trusted location. Therefore, your global admin or other admin SERVICE ACCOUNTS will get blocked unless you exclude them one-by-one.
This is very disruptive. This policy used to allow excluding groups and they changed it to only excluding users. Not all companies can move at the pace Microsoft is enforcing. We cannot make all of our service accounts into some other solution which won't get impacted and still work for us.
Bring back group exclusion for manageability!!
In the document "Manage emergency access accounts in Azure AD" MS adivse to create an "excluded" account to prevent accidental lock and thus not being able to manage to manage the tenant.
This goes against this Baseline Policy since it does not allow exclusions - like the emergency account depited in the above document
Yep - need to be able to exclude break-glass accounts per your own docs.
Exclude at least one account from phone-based multi-factor authentication
Why not use the own recommendations ?
Zach Edwards commented
As a workaround, disable the baseline policy and create a custom conditional access policy to enforce MFA. For Users/Groups, include the desired directory roles and exclude your AAD group.
In my opinion, baseline products serve as recommendations. Thus baseline policies should represent industry best practice to enforce MFA, especially on privileged identities.
Waters, Jeremy commented
ALL of the baseline policies need to permit use of groups in the exclusions. We use groups for our emergency access accounts, service accounts, users temporarily excluded from mfa for troubleshooting... etc. The membership of that last one is transient - and we cannot go editing CA policies (bad practice) when the target list of users changes.
Bob McCoy commented
All of the baseline policies should allow for AD Groups in the exclusion list! I have 300,000 users and while we have a rather small population of amins and the MFA for Admins baseline is not a significant issue for us, the Baseline to block legacy protocols is. I really want to utilize this baseline but we have over 3,000 users who are currently using a client that is using legacy protocols and/or not using modern authentication. I cannot add 3,000 users one-by-one with the current tool.
I simply do not understand why a custom created Conditional Access policy can allow for groups to be added but these baseline policies do not.