Baseline Policy: Require MFA for Admins (Preview) needs to be able to exclude groups.
This policy does not pay attention to trusted location. Therefore, your global admin or other admin SERVICE ACCOUNTS will get blocked unless you exclude them one-by-one.
This is very disruptive. This policy used to allow excluding groups and they changed it to only excluding users. Not all companies can move at the pace Microsoft is enforcing. We cannot make all of our service accounts into some other solution which won't get impacted and still work for us.
Bring back group exclusion for manageability!!60 votes
Baseline policy has been deprecated.
Almost all tenants have some accounts that can't do MFA, e.g. for info screens or system integration. Security defaults would be enforced upon all users... meaning we can't enable Security defaults for most of our customers! Microsoft also recommends excluding an emergency access account from MFA.40 votes
Security Defaults is targeted towards customers that have simple security requirements and do not have complex environments. If you require policy customization, we recommend using Conditional Access which allows for rich flexibility and customization. However, certain system integrations and automation can be tackled with dedicated service principals.
- Don't see your idea?