![]() ![]() ![]() If your organization has these accounts in use in scripts or code, consider replacing them with managed identities.Use Conditional Access for workload identities to define policies targeting service principals. ![]() Calls made by service principals won't be blocked by Conditional Access policies scoped to users. Service accounts like these should be excluded since MFA can't be completed programmatically. They're normally used by back-end services allowing programmatic access to applications, but are also used to sign in to systems for administrative purposes. Service accounts are non-interactive accounts that aren't tied to any particular user. Service accounts and service principals, such as the Azure AD Connect Sync Account.More information can be found in the article, Manage emergency access accounts in Azure AD.In the unlikely scenario all administrators are locked out of your tenant, your emergency-access administrative account can be used to log into the tenant to take steps to recover access. Emergency access or break-glass accounts to prevent tenant-wide account lockout.User exclusionsĬonditional Access policies are powerful tools, we recommend excluding the following accounts from your policies: Organizations can choose to include or exclude roles as they see fit. Privileged authentication administrator.Microsoft recommends you require MFA on the following roles at a minimum, based on identity score recommendations: Requiring multifactor authentication (MFA) on those accounts is an easy way to reduce the risk of those accounts being compromised. Accounts that are assigned administrative rights are targeted by attackers.
0 Comments
Leave a Reply. |