Control: 1.1.3 Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users
Description
Enable multi-factor authentication for all non-privileged users.
Multi-factor authentication requires an individual to present a minimum of two separate forms of authentication before access is granted. Multi-factor authentication provides additional assurance that the individual attempting to gain access is who they claim to be. With multi-factor authentication, an attacker would need to compromise at least two different authentication mechanisms, increasing the difficulty of compromise and thus reducing the risk.
Remediation
From Azure Portal
- From Azure Home select the Portal Menu.
- Select the
Azure Active Directoryblade. - Then
Users. - Select
All Users. - Click on
Per-User MFAbutton on the top bar. - Ensure that for all users
MULTI-FACTOR AUTH STATUSisEnabled.
Follow Microsoft Azure documentation and enable multi-factor authentication in your environment.
https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-azure-mfa
Enabling and configuring MFA is a multi-step process. Here are some additional resources on the process within Azure AD:
- https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-admin-mfa
- https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-getstarted#enable-multi-factor-authentication-with-conditional-access
- https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings
Default Value
By default, multi-factor authentication is disabled for all users.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v200_1_1_3Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v200_1_1_3 --shareSQL
This control uses a named query:
ad_manual_control