Control: 1.1.1 Ensure multifactor authentication is enabled for all users in administrative roles
Description
Enable multifactor authentication for all users who are members of administrative roles in the Microsoft 365 tenant. These include roles such as:
- Global Administrator
- Billing Administrator
- Exchange Administrator
- SharePoint Administrator
- Password Administrator
- Skype for Business Administrator
- Service Support Administrator
- User Administrator
- Dynamics 365 Service Administrator
- Power BI Administrator
Multifactor authentication requires an individual to present a minimum of two separate forms of authentication before access is granted. Multifactor authentication provides additional assurance that the individual attempting to gain access is who they claim to be. With multifactor authentication, an attacker would need to compromise at least two different authentication mechanisms, increasing the difficulty of compromise and thus reducing the risk.
Remediation
To enable multifactor authentication for administrators, use the Microsoft 365 Admin Center:
- Log in to
https://admin.microsoft.com
as aGlobal Administrator
. - Go to
Admin centers
and click onAzure Active Directory
. - Select
Enterprise applications
then, underSecurity
, selectConditional Access
. - Click
New policy
. - Go to
Assignments
>Users and groups
>Include > Select users
andgroups
> checkDirectory roles
. - At a minimum, select the following roles:
Billing admin
,Conditional Access admin
,Exchange admin
,Global admin
,Helpdesk admin
,Security admin
,SharePoint admin
, andUser admin
. - Go to
Cloud apps or actions
>Cloud apps
>Include
> selectAll cloud apps (and don't exclude any apps)
. - Under
Access controls
>Grant
> selectGrant access
> checkRequire multi-factor authentication
(and nothing else). - Leave all other conditions blank.
- Make sure the policy is enabled.
Create
.
Usage
Run the control in your terminal:
powerpipe control run microsoft365_compliance.control.cis_v140_1_1_1
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run microsoft365_compliance.control.cis_v140_1_1_1 --share
SQL
This control uses a named query:
with users_having_admin_roles as ( select array_agg(role_template_id) as rid from azuread_directory_role where display_name like '%Administrator'),policy_with_mfa as ( select tenant_id, count(p.*) from azuread_conditional_access_policy as p, users_having_admin_roles as a where p.built_in_controls ?& array['mfa'] and (p.users -> 'includeRoles')::jsonb ?| (a.rid) and jsonb_array_length(p.users -> 'excludeUsers') < 1 group by tenant_id),tenant_list as ( select distinct on (tenant_id) tenant_id, _ctx from azuread_user)select t.tenant_id as resource, case when (select count from policy_with_mfa where tenant_id = t.tenant_id) > 0 then 'ok' else 'alarm' end as status, case when (select count from policy_with_mfa where tenant_id = t.tenant_id) > 0 then t.tenant_id || ' has MFA enabled for all users in administrative roles.' else t.tenant_id || ' has MFA disabled for all users in administrative roles.' end as reason , t.tenant_id as tenant_idfrom tenant_list as t;