Conditional Access Policy - Require MFA for Administrators

This Azure Conditional Access policy enforces MFA for certain Administrator roles

Create an Active Directory group for Exclusions

Create a new conditional access policy

Azure Active Directory - Security - Conditional Access - New policy

Name: Require MFA for Administrators

Users and groups:

Include - Select users and groups - select these Admin roles

Authentication Administrator
Billing administrator
Conditional Access administrator
Exchange administrator
Global administrator
Helpdesk administrator
Password administrator
Security administrator
SharePoint administrator
User administrator

Exclude: CAP Azure Exclude from CA (AD group for exclusions)

Cloud apps: Include All cloud apps

Access controls: Grant access
Require multi-factor authentication
Require one of the selected controls

Enable the policy in report-only mode for testing

Monitor Azure Active Directory Sign-ins

Azure Active Directory - Monitoring - Sign-ins

Select the sign-in request and check the report-only tab to see the conditional access policy report-only results

In this example we can see that the policy "Require MFA for Administrators" was not applied because the policy is in report-only mode but the policy result would be "User action required" which means that the user would be prompted to setup MFA at logon.

Clicking on show details will give you more info about the report-only results

In this example the details show that the policy would be applied as the user has an admin role and the access control would be granted only if the user completes MFA "User action required"

If everything looks OK in the sign-in logs and the policy is working as expected you can enable the policy