Add possibility to exclude groups/users from Security defaults
Almost all tenants have some accounts that can't do MFA, e.g. for info screens or system integration. Security defaults would be enforced upon all users... meaning we can't enable Security defaults for most of our customers! Microsoft also recommends excluding an emergency access account from MFA.
Security Defaults is targeted towards customers that have simple security requirements and do not have complex environments. If you require policy customization, we recommend using Conditional Access which allows for rich flexibility and customization. However, certain system integrations and automation can be tackled with dedicated service principals.
+1 for this. We need it for specific general accounts that are denied logon from outside our building through conditional access so MFA is not needed, required and SSPR should not be in effect. Maintaining an include group is much more labour intensive than maintaining an exclude group.
Jens Lorenz commented
Apart from a break-glass account, there should also be the option to exclude the guest role, because Security Defaults will not be turned on, if every new guest account needs to register for MFA - esp. when just sharing a file.
Ramil Mammadov commented
Yeah its necessary for better control over all baseline policies
Eric Nilson commented
+1 this used to be available but no longer. This is important.
Eric Nilson commented
For all baseline conditional access policies, it is important to either include / exclude users to help with phasing out a rollout. There are a number of scenarios where it is not practical to dump truck a universal policy while rolling out. This was allowed at one point but is now not available.
The entry level QA resources at my company would have caught this... what gives Microsoft? This kind of oversight makes my job harder.
Need exclude/include groups/users in the Azure AD baseline security policies SR-1172
Andy Whitehouse commented
Need to get the dates as well as the option for exclusion in the baseline Policy.
The guidance on your website states: During an emergency, you do not want a policy to potentially block your access to fix an issue. At least one emergency access account should be excluded from all Conditional Access policies. If you have enabled a baseline policy, you should exclude your emergency access accounts.
However, none of the four Baselines policies provide the ability to exclude any users. This directly contradicts the guidance on your website. The "Require MFA for Service Management" policy even states the following when we attempt to enable it:
"Don't get locked out. This policy can potentially prevent your admins from accessing Azure. Exclude at least one admin."
However, again, there is no option to EXCLUDE any users.
The only workaround to this is to manually enable MFA for admins, or to purchase Azure AD Premium licenses. This is not acceptable and our clients are frustrated by this.
Sean Adams commented
Currently the Preview Baseline Policy only allows users to be excluded from Modern Authentication. Allow Groups to also be used in addition to Users, especially as exclusion targets.
We use group for MFA and would like to the ability to have the option to select Groups within "Include Users". It's also nice to be able to test it out with a smaller group before deploying it out to the whole environment and without having to use "Exclude Users" for service accounts.
Using Azure AD Conditional Access : "Baseline policy: Require MFA for admins" Can you please add the ability to include an Azure AD Group to the exclusion list? Currently only allows for individual users