Loading controls...
Control: 1.2.6 Ensure Multifactor Authentication is Required for Windows Azure Service Management API
Description
This recommendation ensures that users accessing the Windows Azure Service Management API (i.e. Azure Powershell, Azure CLI, Azure Resource Manager API,etc.) are required to use multifactor authentication (MFA) credentials when accessing resources through the Windows Azure Service Management API.
Remediation
From Azure Portal
- From the Azure Admin Portal dashboard, open
Microsoft Entra ID. - Click
Securityin the Entra ID blade. - Click
Conditional Accessin the Security blade. - Click
Policiesin the Conditional Access blade. - Click
+ New policy. - Enter a name for the policy.
- Click the blue text under
Users. - Under
Include, selectAll users. - Under
Exclude, checkUsers and groups. - Select users or groups to be exempted from this policy (e.g. break-glass emergency accounts, and non-interactive service accounts) then click the
Selectbutton. - Click the blue text under
Target Resources. - Under
Include, click theSelect appsradio button. - Click the blue text under
Select. - Check the box next to
Windows Azure Service Management APIsthen click theSelectbutton. - Click the blue text under Grant.
- Under
Grant accesscheck the box forRequire multifactor authenticationthen click theSelectbutton. - Before creating, set
Enable policytoReport-only. - Click
Create.
After testing the policy in report-only mode, update the Enable policy setting from Report-only to On.
Default Value
MFA is not enabled by default for administrative actions.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v210_1_2_6Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v210_1_2_6 --shareSQL
This control uses a named query:
iam_conditional_access_mfa_enabled