Merge pull request #77525 from MicrosoftDocs/master

Merge master to live 3:00 AM

Author: ktoliver

.openpublishing.redirection.json

@@ -17369,6 +17369,11 @@
       "redirect_url": "/azure/active-directory/hybrid/how-to-connect-sync-best-practices-changing-default-configuration",
       "redirect_document_id": false
     },
+    {
+      "source_path": "articles/active-directory/conditional-access/baseline-protection.md",
+      "redirect_url": "/azure/active-directory/conditional-access/concept-baseline-protection",
+      "redirect_document_id": true
+    },
     {
       "source_path": "articles/active-directory/connect/active-directory-aadconnectsync-change-addsacct-pass.md",
       "redirect_url": "/azure/active-directory/hybrid/how-to-connect-sync-change-addsacct-pass",

articles/active-directory/conditional-access/TOC.yml

@@ -19,8 +19,8 @@
 - name: Concepts
   expanded: false
   items:
-  - name: Baseline Protection
-    href: baseline-protection.md
+  - name: Baseline protection policies
+    href: concept-baseline-protection.md
   - name: Conditions
     href: conditions.md
   - name: Location conditions
@@ -38,6 +38,16 @@
     href: plan-conditional-access.md
   - name: Best practices
     href: best-practices.md
+  - name: Baseline policies
+    items:
+    - name: Require MFA for admins
+      href: howto-baseline-protect-administrators.md
+    - name: End user protection
+      href: howto-baseline-protect-end-users.md
+    - name: Block legacy authentication
+      href: howto-baseline-protect-legacy-auth.md
+    - name: Require MFA for service management
+      href: howto-baseline-protect-azure.md
   - name: Block legacy authentication
     href: block-legacy-authentication.md
   - name: Migrate classic policies

articles/active-directory/conditional-access/baseline-protection.md

@@ -0,0 +1,99 @@
+---
+title: Conditional access baseline protection policies - Azure Active Directory
+description: Baseline conditional access policies to protect organizations from common attacks
+
+services: active-directory
+ms.service: active-directory
+ms.subservice: conditional-access
+ms.topic: conceptual
+ms.date: 05/16/2019
+
+ms.author: joflore
+author: MicrosoftGuyJFlo
+manager: daveba
+ms.reviewer: calebb, rogoya
+
+ms.collection: M365-identity-device-management
+---
+# What are baseline policies?
+
+Baseline policies are a set of predefined policies that help protect organizations against many common attacks. These common attacks can include password spray, replay, and phishing. Baseline policies are available in all editions of Azure AD. Microsoft is making these baseline protection policies available to everyone because identity-based attacks have been on the rise over the last few years. The goal of these four policies is to ensure that all organizations have a baseline level of security enabled at no extra cost.  
+
+Managing customized conditional access policies requires an Azure AD Premium license.
+
+## Baseline policies
+
+![Conditional access baseline policies in the Azure portal](./media/concept-baseline-protection/conditional-access-baseline-policies.png)
+
+There are four baseline policies that organizations can enable:
+
+* [Require MFA for admins](howto-baseline-protect-administrators.md)
+* [End user protection (preview)](howto-baseline-protect-end-users.md)
+* [Block legacy authentication (preview)](howto-baseline-protect-legacy-auth.md)
+* [Require MFA for service management (preview)](howto-baseline-protect-azure.md)
+
+All four of these policies will impact legacy authentication flows like POP, IMAP, and older Office desktop clients.
+
+### Require MFA for admins
+
+Due to the power and access that administrator accounts have, you should treat them with special care. One common method to improve the protection of privileged accounts is to require a stronger form of account verification when they are used to sign in. In Azure Active Directory, you can get a stronger account verification by requiring administrators to register for and use Azure Multi-Factor Authentication.
+
+[Require MFA for admins](howto-baseline-protect-administrators.md) is a baseline policy that requires multi-factor authentication (MFA) for the following directory roles, considered to be the most privileged Azure AD roles:
+
+* Global administrator
+* SharePoint administrator
+* Exchange administrator
+* Conditional access administrator
+* Security administrator
+* Helpdesk administrator / Password administrator
+* Billing administrator
+* User administrator
+
+If your organization has these accounts in use in scripts or code, consider replacing them with [managed identities](../managed-identities-azure-resources/overview.md). As a temporary workaround, you can exclude specific user accounts from the baseline policy.
+
+### End user protection (preview)
+
+High privileged administrators aren’t the only ones targeted in attacks. Bad actors tend to target normal users. After gaining access, these bad actors can request access to privileged information on behalf of the original account holder or download the entire directory and perform a phishing attack on your whole organization. One common method to improve the protection for all users is to require a stronger form of account verification when a risky sign-in is detected.
+
+**End user protection (preview)** is a baseline policy that protects all users in a directory. Enabling this policy requires all users to register for Azure Multi-Factor Authentication within 14 days. Once registered, users will be prompted for MFA only during risky sign-in attempts. Compromised user accounts are blocked until password reset and risk dismissal.
+
+### Block legacy authentication (preview)
+
+Legacy authentication protocols (ex: IMAP, SMTP, POP3) are protocols normally used by older mail clients to authenticate. Legacy protocols do not support multi-factor authentication. Even if you have a policy requiring multi-factor authentication for your directory, a bad actor can authenticate using one of these legacy protocols and bypass multi-factor authentication.
+
+The best way to protect your account from malicious authentication requests made by legacy protocols is to block them.
+
+The **Block legacy authentication (preview)** baseline policy blocks authentication requests that are made using legacy protocols. Modern authentication must be used to successfully sign in for all users. Used in conjunction with the other baseline policies, requests coming from legacy protocols will be blocked. In addition, all users will be required to MFA whenever required. This policy does not block Exchange ActiveSync.
+
+### Require MFA for service management (preview)
+
+Organizations use a variety of Azure services and manage them from Azure Resource Manager based tools like:
+
+* Azure portal
+* Azure PowerShell
+* Azure CLI
+
+Using any of these tools to perform resource management is a highly privileged action. These tools can alter subscription-wide configurations, such as service settings and subscription billing.
+
+To protect privileged actions, this **Require MFA for service management (preview)** policy will require multi-factor authentication for any user accessing Azure portal, Azure PowerShell, or Azure CLI.
+
+## Enable a baseline policy
+
+To enable a baseline policy:
+
+1. Sign in to the **Azure portal** as global administrator, security administrator, or conditional access administrator.
+1. Browse to **Azure Active Directory** > **Conditional Access**.
+1. In the list of policies, select a baseline policy you’d like to enable.
+1. Set **Enable policy** to **On**.
+1. Click Save.
+
+## Next steps
+
+For more information, see:
+
+* [Five steps to securing your identity infrastructure](../../security/azure-ad-secure-steps.md)
+* [What is conditional access in Azure Active Directory?](overview.md)
+* [Require MFA for admins](howto-baseline-protect-administrators.md)
+* [End user protection (preview)](howto-baseline-protect-end-users.md)
+* [Block legacy authentication (preview)](howto-baseline-protect-legacy-auth.md)
+* [Require MFA for service management (preview)](howto-baseline-protect-azure.md)

articles/active-directory/conditional-access/concept-baseline-protection.md

@@ -0,0 +1,78 @@
+---
+title: Baseline policy Require MFA for admins - Azure Active Directory
+description: Conditional access policy to require multi-factor authentication for administrators
+
+services: active-directory
+ms.service: active-directory
+ms.subservice: conditional-access
+ms.topic: conceptual
+ms.date: 05/16/2019
+
+ms.author: joflore
+author: MicrosoftGuyJFlo
+manager: daveba
+ms.reviewer: calebb, rogoya
+
+ms.collection: M365-identity-device-management
+---
+# Baseline policy: Require MFA for admins
+
+Users with access to privileged accounts have unrestricted access to your environment. Due to the power these accounts have, you should treat them with special care. One common method to improve the protection of privileged accounts is to require a stronger form of account verification when they are used to sign-in. In Azure Active Directory, you can get a stronger account verification by requiring multi-factor authentication (MFA).
+
+**Require MFA for admins** is a [baseline policy](concept-baseline-protection.md) that requires MFA every time one of the following privileged administrator roles signs in:
+
+* Global administrator
+* SharePoint administrator
+* Exchange administrator
+* Conditional access administrator
+* Security administrator
+* Helpdesk administrator / Password administrator
+* Billing administrator
+* User administrator
+
+Upon enabling the Require MFA for admins policy, the above nine administrator roles will be required to register for MFA using the Authenticator App. Once MFA registration is complete, administrators will need to perform MFA every single time they sign-in.
+
+![Require MFA for admins baseline policy](./media/howto-baseline-protect-administrators/baseline-policy-require-mfa-for-admins.png)
+
+## Deployment considerations
+
+Because the **Require MFA for admins** policy applies to all critical administrators, several considerations need to be made to ensure a smooth deployment. These considerations include identifying users and service principles in Azure AD that cannot or should not perform MFA, as well as applications and clients used by your organization that do not support modern authentication.
+
+### Legacy protocols
+
+Legacy authentication protocols (IMAP, SMTP, POP3, etc.) are used by mail clients to make authentication requests. These protocols do not support MFA. Most of the account compromises seen by Microsoft are caused by bad actors performing attacks against legacy protocols attempting to bypass MFA. To ensure that MFA is required when logging into an administrative account and bad actors aren’t able to bypass MFA, this policy blocks all authentication requests made to administrator accounts from legacy protocols.
+
+> [!WARNING]
+> Before you enable this policy, make sure your administrators aren’t using legacy authentication protocols. See the article [How to: Block legacy authentication to Azure AD with conditional access](howto-baseline-protect-legacy-auth.md#identify-legacy-authentication-use) for more information.
+
+### User exclusions
+
+This baseline policy provides you the option to exclude users. Before enabling the policy for your tenant, we recommend excluding the following accounts:
+
+* **Emergency access** or **break-glass** accounts to prevent tenant-wide account lockout. In the unlikely scenario all administrators are locked out of your tenant, your emergency-access administrative account can be used to log into the tenant take steps to recover access.
+   * More information can be found in the article, [Manage emergency access accounts in Azure AD](../users-groups-roles/directory-emergency-access.md).
+* **Service accounts** and **service principles**, such as the Azure AD Connect Sync Account. Service accounts are non-interactive accounts that are not tied to any particular user. They are normally used by back-end services and allow programmatic access to applications. Service accounts should be excluded since MFA can’t be completed programmatically.
+   * If your organization has these accounts in use in scripts or code, consider replacing them with [managed identities](../managed-identities-azure-resources/overview.md). As a temporary workaround, you can exclude these specific accounts from the baseline policy.
+* Users who do not have or will not be able to use a smart phone.
+   * This policy requires administrators to register for MFA using the Microsoft Authenticator app.
+
+## Enable the baseline policy
+
+The policy **Baseline policy: Require MFA for admins** comes pre-configured and will show up at the top when you navigate to the Conditional Access blade in Azure portal.
+
+To enable this policy and protect your administrators:
+
+1. Sign in to the **Azure portal** as global administrator, security administrator, or conditional access administrator.
+1. Browse to **Azure Active Directory** > **Conditional Access**.
+1. In the list of policies, select **Baseline policy: Require MFA for admins**.
+1. Set **Enable policy** to **Use policy immediately**.
+1. Add any user exclusions by clicking on **Users** > **Select excluded users** and choosing the users that need to be excluded. Click **Select** then **Done**.
+1. Click **Save**.
+
+## Next steps
+
+For more information, see:
+
+* [Conditional access baseline protection policies](concept-baseline-protection.md)
+* [Five steps to securing your identity infrastructure](../../security/azure-ad-secure-steps.md)
+* [What is conditional access in Azure Active Directory?](overview.md)