You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/active-directory/conditional-access/baseline-protection.md
+12-27Lines changed: 12 additions & 27 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,5 +1,5 @@
1
1
---
2
-
title: What is a baseline protection in Azure Active Directory conditional access? - preview | Microsoft Docs
2
+
title: What is a baseline protection in Azure Active Directory conditional access? | Microsoft Docs
3
3
description: Learn how baseline protection ensures that you have at least the baseline level of security enabled in your Azure Active Directory environment.
4
4
services: active-directory
5
5
keywords: conditional access to apps, conditional access with Azure AD, secure access to company resources, conditional access policies
@@ -21,40 +21,32 @@ ms.reviewer: nigu
21
21
22
22
ms.collection: M365-identity-device-management
23
23
---
24
-
# What is baseline protection (preview)?
24
+
# What is baseline protection?
25
25
26
26
In the last year, identity attacks have increased by 300%. To protect your environment from the ever-increasing attacks, Azure Active Directory (Azure AD) introduces a new feature called baseline protection. Baseline protection is a set of predefined [conditional access policies](../active-directory-conditional-access-azure-portal.md). The goal of these policies is to ensure that you have at least the baseline level of security enabled in all editions of Azure AD.
27
27
28
28
This article provides you with an overview of baseline protection in Azure Active Directory.
29
-
30
-
31
29
32
30
## Require MFA for admins
33
31
34
32
Users with access to privileged accounts have unrestricted access to your environment. Due to the power these accounts have, you should treat them with special care. One common method to improve the protection of privileged accounts is to require a stronger form of account verification when they are used to sign-in. In Azure Active Directory, you can get a stronger account verification by requiring multi-factor authentication (MFA).
35
33
36
-
**Require MFA for admins** is a baseline policy that requires MFA for the following directory roles:
37
-
38
-
- Global administrator
39
-
40
-
- SharePoint administrator
41
-
42
-
- Exchange administrator
43
-
44
-
- Conditional access administrator
45
-
46
-
- Security administrator
34
+
**Require MFA for admins** is a baseline policy that requires MFA for the following directory roles:
47
35
36
+
* Global administrator
37
+
* SharePoint administrator
38
+
* Exchange administrator
39
+
* Conditional access administrator
40
+
* Security administrator
41
+
* Helpdesk administrator / Password administrator
42
+
* Billing administrator
43
+
* User administrator
48
44
49
45
50
46
51
47
This baseline policy provides you with the option to exclude users. You might want to exclude one *[emergency-access administrative account](../users-groups-roles/directory-emergency-access.md)* to ensure you are not locked out of the tenant.
52
48
53
-
54
-
## Enable a baseline policy
55
-
56
-
While baseline policies are in preview, they are by default not activated. You need to manually enable a policy if you want to activate it. If you explicitly enable the baseline policies at the preview stage, they will remain active when this feature reaches general availability. The planned behavior change is the reason why, in addition to activate and deactivate, you have a third option to set the state of a policy: **Automatically enable policy in the future**. By selecting this option, you can leave the policies disabled during preview, but have Microsoft enable them automatically when this feature reaches general availability. If you do not explicitly enable baseline policies now, and do not select the **Automatically enable policy in the future** option, the policies will remain disabled when this feature reaches general availability.
57
-
49
+
## Enable a baseline policy
58
50
59
51
**To enable a baseline policy:**
60
52
@@ -73,9 +65,6 @@ While baseline policies are in preview, they are by default not activated. You n
73
65
5. To enable the policy, click **Use policy immediately**.
74
66
75
67
6. Click **Save**.
76
-
77
-
78
-
79
68
80
69
## What you should know
81
70
@@ -87,14 +76,10 @@ If you have privileged accounts that are used in your scripts, you should replac
87
76
88
77
Baseline policies apply to legacy authentication flows like POP, IMAP, older Office desktop client.
89
78
90
-
91
-
92
-
93
79
## Next steps
94
80
95
81
For more information, see:
96
82
97
83
-[Five steps to securing your identity infrastructure](https://docs.microsoft.com/azure/security/azure-ad-secure-steps)
98
84
99
85
-[What is conditional access in Azure Active Directory?](overview.md)
0 commit comments