Microsoft-Managed Conditional Access Policies Will Start Soon

Cyberattacks are probably one of the largest threats your organization faces. More than 2,200 cyberattacks occur each day, costing companies millions of dollars annually.    

From account takeovers to phishing attempts, your cyber security should be able to withstand the hostile landscape. With enough on your plate to worry about, Microsoft has taken on the responsibility of strengthening your organization’s security. If you’re a Microsoft customer, security policies such as enabling multi-factor authentication for users will soon be auto-enforced. To be prepared for this new initiative, here’s everything you should know about Microsoft-managed conditional access policies. 

Why is Microsoft enforcing auto-rollout policies? 

Since Microsoft released its multifactor authentication feature, there has been an 80% reduction in reported cases of Microsoft accounts being hacked. What’s also impressive is the authentication factor’s ability to recover accounts, with an 81% recovery rate for hacked accounts. This feature has proven effective against cyber threats, but multifactor authentication utilization among Microsoft Entra ID users is currently just over 37%.   

To protect the security of its customers, Microsoft is set on achieving a 100% adoption rate among its enterprise users. To realize this goal, Microsoft is doing an auto-rollout of conditional access policies. 

What are Microsoft-managed conditional access policies? 

These are policies that Microsoft is deploying on your behalf. The first three policies Microsoft is rolling out are multi-factor authentication-related: 

1. Require multifactor authentication when an admin signs into a Microsoft admin portal. This is applied to all customers. 
2. Require multifactor authentication for all cloud apps. This is applied to existing per-user multifactor authentication customers.
3. Require multifactor authentication for high-risk sign-ins. This is applied to Microsoft Entra ID Premium Plan 2 customers. 

Although Microsoft strongly recommends that you remain opted in for this auto-rollout, you can turn off these policies or customize them by excluding users, groups, and roles. 

Important details to prepare your organization 

Microsoft has rolled out these policies to eligible tenants between November 9, 2023, and December 31, 2023, who were given 90 days to review the guidelines and manage exclusions. This 90-day period ends soon, and enforcement will begin from February to March 2024. If you haven’t already, customize or turn off the policies for your organization before they are turned on.