Control: Ensure that 'Require Multifactor Authentication to register or join devices with Microsoft Entra' is set to 'Yes'

Description

This recommendation is only relevant if your subscription is using Per-User MFA. If your organization is licensed to use Conditional Access, the preferred method of requiring MFA to join devices to Entra ID is to use a Conditional Access policy (see additional information below for link).

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.ad_require_mfa_for_device_join

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.ad_require_mfa_for_device_join --share

SQL

This control uses a named query:

with distinct_tenant as (
  select
    distinct tenant_id,
    display_name,
    subscription_id,
    _ctx
  from
    azure_tenant
)
select
  id as resource,
  case
    when multi_factor_auth_configuration = 'required' then 'ok'
    else 'alarm'
  end as status,
  case
    when multi_factor_auth_configuration = 'required' then t.display_name || ' MFA is required for device registration.'
    else
      t.display_name || ' MFA is not required for device registration.'
  end as reason,
  t.tenant_id
  
from
  distinct_tenant as t,
  azuread_device_registration_policy;

Control: Ensure that 'Require Multifactor Authentication to register or join devices with Microsoft Entra' is set to 'Yes'

Description

Usage

SQL

Tags