I came across a great reminder from Andy Ballard that’s worth calling out because it’s one of those things that’s easy to miss but has serious security impact.
If you’re relying on Conditional Access policies scoped to admin roles, new roles added to Entra are not automatically included.
That means you could already have privileged roles in your tenant today that are not protected by MFA or your existing Conditional Access policies.
The Problem
In Microsoft Entra ID, it’s common to configure a policy like:
- Require MFA for Admin Roles
- Block legacy auth for Admin Roles
- Restrict admin access to compliant devices
The assumption is usually:
“Any new admin role will automatically be covered”
That assumption is wrong.
When Microsoft introduces new roles, they are not dynamically added to existing Conditional Access policies.
Why This Matters
This creates a silent gap in your identity security posture:
- Newly introduced roles may have privileged access
- Those roles can be assigned without MFA enforcement
- Attackers target the weakest privileged path
This is exactly the kind of gap that gets exploited.
Best Practice Going Forward
This isn’t a one-time fix. You need a process.
Recommended approach:
- Schedule a monthly review of Entra roles
- Update Conditional Access policies accordingly
- Include this in your security baseline checks
- Consider automation where possible
At minimum, make this part of your identity governance routine.
Script to List Roles
If you want to quickly list all roles via PowerShell –
Connect-MgGraph -Scopes "RoleManagement.Read.Directory"
Get-MgDirectoryRoleTemplate | Select DisplayName
Credit again to Andy Ballard for calling this out on LinkedIn! – https://www.linkedin.com/feed/update/urn:li:activity:7444749044926828544/
Sysadmin Central 
Leave a comment