Conditional Access policy: Require multifactor authentication for admins accessing Microsoft admin portals

1. Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.
2. Browse to Protection > Conditional Access.
3. Select Create new policy.
4. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
5. Under Assignments, select Users or workload identities.

   1. Under Include, select Directory roles and choose built-in roles like:

      • Global Administrator
      • Application Administrator
      • Authentication Administrator
      • Billing Administrator
      • Cloud Application Administrator
      • Conditional Access Administrator
      • Exchange Administrator
      • Helpdesk Administrator
      • Password Administrator
      • Privileged Authentication Administrator
      • Privileged Role Administrator
      • Security Administrator
      • SharePoint Administrator
      • User Administrator

       

   2. Under Exclude, select Users and groups and choose your organization's emergency access or break-glass accounts.

6. Under Target resources > Cloud apps > Include, Select apps, select Microsoft Admin Portals.
7. Under Access controls > Grant, select Grant access, Require authentication strength, select Multifactor authentication, then select Select.
8. Confirm your settings and set Enable policy to Report-only.
9. Select Create to create to enable your policy.

After administrators confirm the settings using report-only mode, they can move the Enable policy toggle from Report-only to On.