Control: 1.1 Ensure that multi-factor authentication is enabled for all privileged users
Description
Enable multi-factor authentication for all user credentials who have write access to Azure resources. These include roles like:
- Service Co-Administrators
- Subscription Owners
- Contributors
Multi-factor authentication requires an individual to present a minimum of two separate forms of authentication before access is granted. Multi-factor authentication provides additional assurance that the individual attempting to gain access is who they claim to be. With multi-factor authentication, an attacker would need to compromise at least two different authentication mechanisms, increasing the difficulty of compromise and thus reducing the risk.
Note: By default, multi-factor authentication is disabled for all users.
Remediation
From Console
- Log in to Azure Active Directory
- Go to
Users
- Go to
All Users
- Click on Multi-Factor Authentication button on the top bar
- Ensure that MULTI-FACTOR AUTH STATUS is
Enabled
for all users who areService Co-Administrators
OROwners
ORContributors
.
To enable MFA, follow Microsoft Azure documentation and setup multi-factor authentication in your environment.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v130_1_1
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v130_1_1 --share
SQL
This control uses a named query:
ad_manual_control