azure-docs icon indicating copy to clipboard operation
azure-docs copied to clipboard

Published 20 hours ago verified publisher icon MicrosoftDocs

Why are Global Administrators not included?

Open jotheman0303 opened this issue 2 years ago • 1 comments

I do not really follow why we are excluding all Global Admins in setting up this policy. I would say it is critical that you enable this especially for Global Admins. I get that you might want to exclude GA's initially to prevent locking oneself out, but then make a note on this, don't simply say "exclude GA's". Would be curious to hear the reasoning on why it is stated that way and would recommend a change there. Hope the feedback helps :)

Document Details

Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

jotheman0303 avatar Feb 15 '23 13:02 jotheman0303

@jotheman0303 Thanks for your feedback! We will investigate and update as appropriate.

AjayBathini-MSFT avatar Feb 15 '23 17:02 AjayBathini-MSFT

Hi @jotheman0303

Thank you for your feedback. I understand your concern. The reason for excluding Global Admins in the initial setup of a Conditional Access policy is to prevent administrators from locking themselves out of their directory. If a policy is applied to all users and all apps, it can result in administrators being unable to access their directory.

To avoid this situation, it is recommended to apply the policy to a small set of users first to verify that it behaves as expected. Additionally, it is recommended to exclude at least one administrator from the policy to ensure that there is still access to the policy in case changes are required.

I agree with your suggestion to make a note on this and provide more context on why Global Admins are excluded in the initial setup. I will pass this feedback along to the appropriate team for consideration.

Let me know if you have any other questions or concerns.

For you information Please refer the below in documented link

https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-users-groups https://learn.microsoft.com/en-us/azure/active-directory/governance/conditional-access-exclusion

ManoharLakkoju-MSFT avatar Feb 16 '23 06:02 ManoharLakkoju-MSFT

@MicrosoftGuyJFlo Can you please check and add your comments on this doc update request as applicable.

ManoharLakkoju-MSFT avatar Feb 19 '23 07:02 ManoharLakkoju-MSFT

Will look at this with the Product Group when updating the doc in the future. Thanks for the feedback #please-close

MicrosoftGuyJFlo avatar Feb 23 '23 15:02 MicrosoftGuyJFlo