Control: 1.2.3 Ensure that A Multi-factor Authentication Policy Exists for Administrative Groups
Description
For designated users, they will be prompted to use their multi-factor authentication (MFA) process on login.
Enabling multi-factor authentication is a recommended setting to limit the use of Administrative accounts to authenticated personnel.
Remediation
From Azure Portal
- From Azure Home open the Portal Menu in top left, and select Azure Active Directory.
- Select
Security
. - Select
Conditional Access
. - Click
+ New policy
. - Enter a name for the policy.
- Select
Users or workload identities
. - Check
Users and groups
. - Select administrative groups this policy should apply to and click
Select
. - Under
Exclude
, checkUsers and groups
. - Select users this policy not should apply to and click
Select
. - Select
Cloud apps or actions
. - Select
All cloud apps
. - Select
Grant
. - Under Grant access, check
Require multifactor authentication
and clickSelect
. - Set
Enable policy
toReport-only
. - Click
Create
.
After testing the policy in report-only mode, update the Enable policy
setting from Report-only
to On
.
Default Value
By default, MFA is not enabled for any administrative accounts.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v200_1_2_3
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v200_1_2_3 --share
SQL
This control uses a named query:
ad_manual_control