Regarding the impact of enabling the Azure Active Directory baseline protection (requiring MFA from administrators) feature

for Microsoft 365

Q.

It has been announced that the baseline protection feature of Azure Active Directory (requiring MFA for administrators) will be enabled. Please let us know the impact of enabling this feature. If there is an impact, please also provide the necessary countermeasures.

(※) Reference URL
https://docs.microsoft.com/ja-jp/azure/active-directory/conditional-access/baseline-protection

 

 

A.

There is no impact on the "Single Sign-On" with the Microsoft 365 administrator account. MFA (Multi-Factor Authentication) for Microsoft 365 (Azure AD) is requested after HDE One login, so it does not affect the operation of Single Sign-On.

For the case of "Account Sync" requiring confirmation below and for the case of using the Microsoft 365 administrator account for "PowerShell or script execution," additional measures are required.

[Account Sync Confirmation Method]
If you are synchronizing accounts from HDE One to Microsoft 365 (Azure AD) by running the HDE Sync Tool (HDE One Directory Sync) in your environment, additional measures are required.

1. Log in to the HDE Access Control management screen as an administrator and open [Sync Logs].

2. If "HDE Access Control >> Windows Azure Active Directory" is displayed in the logs, additional measures are required.

・Reference image (requires action)

※ If you are synchronizing accounts from your on-premises Active Directory to HDE using the HDE One Directory Sync tool, no action is required. Similarly, if synchronization services are running on our cloud rather than in your environment, there is no impact.

・Reference image (no action required)

 

 

​``【oaicite:0】``​

Case1. Do not enable the relevant feature (Baseline Protection).

Case2. Exclude the administrator account you are using from the scope of the relevant feature.

 

[Configuration Steps]

1. Access the Azure Portal as a Microsoft 365 Global Administrator
https://portal.azure.com/

2. Select [Azure Active Directory] from the left menu.

3. Select [Conditional Access] > [Policies] > [Baseline policy: Require MFA for admins].

1.png

4. Choose the items to apply under [Enable Policy]. If you choose to disable, select "Do not use the policy" and click the save button. If you choose "Automatically enable the policy in the future" or "Use the policy immediately," also configure the settings in the following step 5.

5. Select [Exclude users and groups] > [Select users to exclude] in order, search for and select (click) the administrator users to exclude, and click [Select] > [Finish] > [Save].

2.png

The configuration is now complete.

 

          
Was this article helpful?