Control: 5.2.2.2 Ensure multifactor authentication is enabled for all users
Description
Enable multifactor authentication for all users in the Microsoft 365 tenant. Users will be prompted to authenticate with a second factor upon logging in to Microsoft 365 services. The second factor is most commonly a text message to a registered mobile phone number where they type in an authorization code, or with a mobile application like Microsoft Authenticator.
Multifactor authentication requires an individual to present a minimum of two separate forms of authentication before access is granted. Multifactor authentication provides additional assurance that the individual attempting to gain access is who they claim to be. With multifactor authentication, an attacker would need to compromise at least two different authentication mechanisms, increasing the difficulty of compromise and thus reducing the risk.
Remediation
To enable multifactor authentication for all users:
- Navigate to
the Microsoft Entra admin centerhttps://entra.microsoft.com. - Click expand
Protection>Conditional AccessselectPolicies. - Click
New policy. - Go to
Assignments>Users and groups>Include> selectAll users(and do not exclude any user). - Select
Cloud apps or actions>All cloud apps(and don't exclude any apps). Access Controls>Grant>Require multi-factor authentication(and nothing else).- Leave all other conditions blank.
- Make sure the policy is Enabled/On.
- Create.
Default Value
Disabled.
Usage
Run the control in your terminal:
powerpipe control run microsoft365_compliance.control.cis_v300_5_2_2_2Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run microsoft365_compliance.control.cis_v300_5_2_2_2 --shareSQL
This control uses a named query:
azuread_all_user_mfa_enabled