Control: 1.2.4 Ensure that A Multi-factor Authentication Policy Exists for All Users
Description
For designated users, they will be prompted to use their multi-factor authentication (MFA) process on logins.
Enabling multi-factor authentication is a recommended setting to limit the potential of accounts being compromised and limiting access to authenticated personnel.
Remediation
From Azure Portal
- From Azure Home open Portal menu in the top left, and select
Microsoft Entra ID
. - Select
Security
. - Select
Conditional Access
. - Click
+ New policy
. - Enter a name for the policy.
- Select
Users or work load identities
. - Under
Include
, selectAll users
. - Under
Exclude
, checkUsers and groups
. - Select users this policy should not apply to and click
Select
. - Select
Cloud apps or actions
. - Select
All cloud apps
. - Select
Grant
. - Under
Grant access
, checkRequire multifactor authentication
and clickSelect
. - Set
Enable policy
toReport-only
. - Click
Create
.
After testing the policy in report-only mode, update the Enable policy
setting from Report-only
to On
.
Default Value
MFA is not enabled by default.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v210_1_2_4
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v210_1_2_4 --share
SQL
This control uses a named query:
ad_manual_control