Microsoft has announced plans to activate Microsoft Entra ID Conditional Access policies for certain Microsoft 365 licenses. The imminent activation marks a significant step in Microsoft's commitment to bolstering the security landscape for its user base. Starting in February and extending into March, these policies will mandate multifactor authentication protocols, particularly for administrative portals, individual user cloud app licenses, and accounts identified as high-risk.
Policy Rollouts and IT Preparations
IT professionals are advised to examine these Entra ID policies in advance of their activation, to ensure alignment with organizational needs. Necessary alterations and deactivations should be completed ahead of the planned deployment period. Conditional Access policies are currently operational in a passive, “report-only mode” which allows organizations to observe potential policy impacts without enforcement. Transitioning from this consultative state, Microsoft will advance these policies into active enforcement stages.
Conditions and Customizations for Organizations
Despite a framework of enhanced security standards, Microsoft recognizes the diversity of organizational requirements, promoting granular control over these new security measures. Microsoft-managed Conditional Access policies are configured to offer a balance between recommended security practices and individual customization options. Notably, certain legacy authentication protocols may still require support, and exceptions may be necessary for particular automated processes.
Alex Weinert, Vice President of Identity Security at Microsoft, has highlighted the effectiveness of multifactor authentication in curbing phishing attacks. Drawing from the success seen within consumer Microsoft accounts, where a more than 80 percent reduction in account compromises was observed, a similar approach is now being extended to corporate tenancies.
The initiative to deliver these Conditional Access policies was first discussed by Weinert in November, outlining the strategic implementation of security defaults. The future of Conditional Access policies includes combining machine learning-based insights with automated policy rollout to tailor security measures to specific organizational profiles. However, a timeline for these sophisticated customizations has not yet been disclosed.
As the activation date approaches, partners and businesses covered by Microsoft 365 E3, E5, and Business Premium plans must review and prepare for Microsoft's strategy to enforce these enhanced security measures, offering a proactive defense against sophisticated cybersecurity threats.