Browse to https://portal.azure.com/#home (login if prompted).

Click Azure AD Conditional Access.

Click New Policy

Enter a descriptive name such as MFA for Admins.

Click Users and groups.

On the Include tab, click the Select users and groups radio button, then click the Directory roles (Preview) checkbox.

Expand the listbox under Directory roles (Preview). Select the following nine roles:

  • Global administrator
  • SharePoint administrator
  • Exchange administrator
  • Conditional Access administrator
  • Security administrator
  • Helpdesk administrator
  • Password administrator
  • Billing administrator
  • User administrator

Click the Exclude tab, then click the Users and groups checkbox.

Click Select excluded users, then in the Select excluded users flyout enter the name of your emergency access or “break glass” account. Select the account when it’s displayed. If all admins end up locked out of the tenant by some cruel twist of fate, then this account provides access to fix whatever issues cropped up creating the lockout. Click Select.

Click Done.

Under the Assignments heading, click Cloud apps or actions. Click Cloud apps to Select what this policy applies to, then click All cloud apps on the Include tab. Click Done.

Under the Access controls heading, click Grant. Click Grant access, click the Require multi-factor authentication checkbox, then click Select.

Click On for Enable Policy, then click the radio button for “I understand that my account will be impacted by this policy. Proceed anyway.” Click Create.

The policy is validated, the Conditional Access – Policies blade displays, and the new policy is displayed under Policy Name. A message confirming the policy is created displays.

I’ll cover enrolling for MFA using the Microsoft Authenticator app in another blog post. Until then, happy computing checkyourlogs.net fans!