Tag Archives: EMS

Conditional Access – baseline protection

Microsoft is helping us protecting our global admins in the organizations with a new set of baseline protection policies.

Baseline protection is a set of predefined conditional access policies. The goal of these policies is to ensure that you have at least the baseline level of security enabled in all editions of Azure AD.

The first baseline protection policy that Microsoft has release is “Baseline policy: Require MFA for admins (Preview)”, which in the near future will enforce MFA on services admins in your tenant.

Users with access to privileged accounts have unrestricted access to your environment. Due to the power these accounts have, you should treat them with special care. One common method to improve the protection of privileged accounts is to require a stronger form of account verification when they are used to sign-in. In Azure Active Directory, you can get a stronger account verification by requiring multi-factor authentication (MFA).

Require MFA for admins is a baseline policy that requires MFA for the following directory roles:

  • Global administrator 
  • SharePoint administrator 
  • Exchange administrator 
  • Conditional access administrator 
  • Security administrator 

This baseline policy provides you with the option to exclude users and groups. You might want to exclude one emergency-access administrative account to ensure you are not locked out of the tenant.

Right now the policy isn’t enforce and it will automatically be enabled in the future, but you can change the setting and start using the policy right now.


Azure AD password reset from the Windows login screen

With the new Windows 10 April 2018 Update it is now possible to reset your passwords from the Windows 10 login screen from an Azure AD joined or a hybrid Azure AD joined devices.

When users click this link, they are brought to the same self-service password reset (SSPR) experience they are familiar with.


  • Windows 10 April 2018 Update, or newer
  • A Windows 10 client that is Azure AD joined or Hybrid Azure AD joined
  • Azure AD self-service password reset must be enabled

How to set it up

First you’ll need to sign-in to the Microsoft 365 Device Management portal and then Device configuration

Create a new device configuration profile by clicking Profiles -> Create Profile

  • Enter a name for the profile
  • Optionally provide a description
  • Choose ‘Windows 10 and later’ as platform
  • Choose ‘Custom’ as profile type

Add the following OMA-URI setting to enable the Reset password link

  • Enter a name to explain what the setting is doing
  • Optionally provide a description
  • OMA-URI set to ./Vendor/MSFT/Policy/Config/Authentication/AllowAadPasswordReset
  • Data type set to Integer
  • Value set to 1

Click OK -> OK -> Create

Enable Azure AD self-service password reset

Sign in to the Azure portal using a Global Administrator account.

Click Azure Active Directory -> Password reset

Start with a pilot group by enabling self-service password for a subset of users in your organization.

  • From the Properties page, under the option Self Service Password Reset Enabled, choose Selected and pick a pilot group
    • Only members of the specific Azure AD group that you choose can use the SSPR functionality
    • Nesting of security groups is supported here.
    • Ensure the users in the group you picked have been appropriately licensed
  • Click Save

On the Authentication methods page

  • Set the Number of methods required to reset to 2
  • Choose which Methods available to users your organization wants to allow
  • Click Save

On the Registration page

  • Select Yes for Require users to register when signing in
  • Set Number of days before users are asked to reconfirm their authentication information to 180
  • Click Save

On the Notifications page

  • Set Notify users on password resets option to Yes.
  • Set Notify all admins when other admins reset their password to Yes

On the Customization page

  • Set Customize helpdesk link to Yes and provide either an email address or web page URL where your users can get additional help from your organization in the Custom helpdesk email or URL field

Self-service password reset is now configured for cloud users in your pilot group.

Enforce MFA for users

When you create your administrators, including your global administrator account, it is essential that you use very strong authentication methods.

To check who in your organization has administrative privileges you can verify by using the following Microsoft Azure AD PowerShell command

Get-AzureADDirectoryRole | Where { $_.DisplayName -eq “Company Administrator” } | Get-AzureADDirectoryRoleMember | Ft DisplayName

As long as your users have licenses that include Azure Multi-Factor Authentication, there’s nothing that you need to do to turn on Azure MFA. You can start requiring two-step verification on an individual user basis.

The licenses that enable Azure MFA are

  • Azure Multi-Factor Authentication
  • Azure Active Directory Premium
  • Enterprise Mobility + Security

How to enable MFA

Sign in to the Azure portal as an Global Admin

Go to Azure Active Directory -> Users and groups -> All users

Select Multi-Factor Authentication

Find the user you want to enable for Azure MFA.

Check the box next to their name.

On the right, under quick steps, choose Enable or Disable