Admins Excluded from MFA CA Policies [CHK-1189]

Rationale

Multi-Factor Authentication is one of the most effective defenses against credential theft and unauthorized access. When administrators — especially those with elevated privileges — are excluded from MFA enforcement, they become prime targets for attackers. A compromised admin account without MFA protection can lead to full tenant takeover, data exfiltration, and persistent access. Attackers frequently target admin accounts using phishing, password spraying, and token theft techniques, all of which MFA significantly mitigates.

Fix

No automated fix is available for this check.

Manual steps:

1. Open the Azure Portal and navigate to Microsoft Entra ID > Protection > Conditional Access.
2. Identify the MFA-enforcing policies listed in the alert and review their user and group exclusion lists.
3. Remove admin accounts from the exclusion lists so they are subject to MFA enforcement.
4. If an admin account must remain excluded (e.g., a break-glass or emergency access account), configure it as the emergency admin account in Attic or add it to the Allowed Admins whitelist (CHK1189_allowedAdmins) with a documented justification.
5. Verify that the changes take effect by confirming that the admin accounts are now prompted for MFA on their next sign-in.

Impact

Removing admin exclusions from MFA policies ensures that all privileged accounts are protected by multi-factor authentication. This significantly reduces the risk of credential-based attacks against administrator accounts. Legitimate break-glass accounts can still be maintained through the emergency admin configuration or the allowed admins whitelist, ensuring operational continuity while maintaining security.

More Information

• Microsoft: Conditional Access - Require MFA for administrators
• Microsoft: Manage emergency access accounts in Microsoft Entra ID
• Microsoft: Conditional Access overview