Control: 5.2.2.1 Ensure multifactor authentication is enabled for all users in administrative roles

Description

Multi-factor authentication is a process that requires an additional form of identification during the sign-in process, such as a code from a mobile device or a fingerprint scan, to enhance security.

Ensure users in administrator roles have MFA capabilities enabled.

Multifactor authentication requires an individual to present a minimum of two separate forms of authentication before access is granted. Multifactor authentication provides additional assurance that the individual attempting to gain access is who they claim to be. With multifactor authentication, an attacker would need to compromise at least two different authentication mechanisms, increasing the difficulty of compromise and thus reducing the risk.

Remediation

To enable multifactor authentication for administrators:

1. Navigate to the Microsoft Entra admin center https://entra.microsoft.com.
2. Click expand Protection > Conditional Access select Policies.
3. Click New policy.
4. Go to Assignments > Users and groups > Include > Select users and groups > check Directory roles.
5. At a minimum, select the Directory roles listed below in this section of the document.
6. Go to Cloud apps or actions > Cloud apps > Include > select All cloud apps (and don't exclude any apps).
7. Under Access controls > Grant > select Grant access > check Require multi-factor authentication (and nothing else).
8. Leave all other conditions blank.
9. Make sure the policy is enabled.
10. Create.

At minimum these directory roles should be included for MFA:

• Application administrator
• Authentication administrator
• Billing administrator
• Cloud application administrator
• Conditional Access administrator
• Exchange administrator
• Global administrator
• Global reader
• Helpdesk administrator
• Password administrator
• Privileged authentication administrator
• Privileged role administrator
• Security administrator
• SharePoint administrator
• User administrator