It is crucial to protect your admin accounts, especially when we talk about Azure services. There is a new feature in Public Preview to implement it today, that will effectively protect your Azure AD privileged accounts. During the last year, identity attacks have increased by 300%. To protect your environment from the ever-increasing attacks, Azure Active Directory (Azure AD) introduces a new feature called baseline protection. Baseline protection is a set of predefined conditional access policies that can be found in the Azure AD Portal.
You can navigate to the Azure Portal, then go to Azure AD and then to Conditional Access. You can now see that there is a new policy called “Baseline Policy”:
The default setting is to enable that policy in the future and enable MFA for the critical admins groups in Azure AD, unless you want to change the default setting and enable it immediately. You also have the option to exclude some groups or users, although this is not recommended.
While managing custom conditional access policies requires an Azure AD Premium license, baseline policies are available in all editions of Azure AD.
The directory roles that are included in the baseline policy are the most privileged Azure AD roles.
If you have privileged accounts that are used in your scripts, you should replace them with Managed Service Identity (MSI) or service principals with certificates. As a temporary workaround, you can exclude specific user accounts from the baseline policy.
Recommendation: Exclude one “emergency-access administrative account” to ensure you are not locked out of the tenant.
And remember, we offer a list of Azure online courses, so you can get the proper training and gest certified on Microsoft Azure. You can see the courses offered here.
Thanks for your time!