 Another method that I want to show you, for those situations where you want to have some users that have multi-factor authentication and other users that don't, but you still want to automate the process a little. There is a method to do that as well. So again, in the Azure portal, we're going to go to portal.azure.com. Once we're in here, we want to search for conditional access. You'll find Azure AD conditional access. Once we're in conditional access, you may notice that there are already some policies that are available here named baseline policies. These are policies that Microsoft is going to be removing from tenants in the relatively near future. By the time you're watching this, they may already be gone from your tenant. These features have essentially been superseded by the security defaults feature, and that's essentially the reason why they're going to remove these from the tenant. What we want to do though, is create our own custom conditional access policy, and we're going to create a conditional access policy that enforces multi-factor authentication just for the administrators in our tenant. So I'm going to create a new policy. Under assignments, users and groups, I'm going to assign it to directory roles. In this list, you'll see there's a number of different directory roles that are available in your 365 tenant, and we want to enable it for all of the administrative roles. So it's going to be global administrator, SharePoint administrator, exchange administrator, conditional access administrator, security administrator, help desk administrator, password administrator, billing administrator, and user administrator. You notice that there are other administrators that are listed in here. The ones that we've selected here in this list are the minimum roles that we would recommend selecting for this policy. If you like, you could also provide additional roles to the system. If you do have an emergency access or a break glass account that you do not want to enforce multi-factor authentication upon, then we also would use the exclude tab here to provide an exclusion for that account. So in this case, I'm going to go to my users, and I have one in here that I called just emergency admin, it's 911 admin. So that account I'm going to exclude from this policy, so that account I have a very complicated password on, I don't expect it to get compromised because it doesn't even have a mailbox, it's just a global administrator account, that is there just in case any or all of my other administrators lose access to their own accounts in the system. Now under, sorry, so we need to say done here, under Cloud Apps or Actions, we want to include all Cloud Apps under Access Controls. We want to grant access, but require multi-factor authentication. After doing all of that, if we enable that policy and turn it on, then it's going to enable multi-factor authentication for all of the administrators in our system. You'll notice in this case, it's providing me with this warning that I may accidentally lock out my account. Since I'm logging in as the administrator for this tenant, and this is my only administrator for the tenant aside from that emergency account, I could add an exception for this account if I like, or I could go through the steps so that I am providing multi-factor authentication for that admin account, which is the step that I would recommend.