Control: Ensure that 'multifactor authentication' is 'enabled' for all users
Description
Multifactor authentication requires an individual to present a minimum of two separate forms of authentication before access is granted. Multifactor authentication provides additional assurance that the individual attempting to gain access is who they claim to be. With multifactor authentication, an attacker would need to compromise at least two different authentication mechanisms, increasing the difficulty of compromise and thus reducing the risk.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.ad_user_mfa_enabledSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.ad_user_mfa_enabled --shareSQL
This control uses a named query:
with distinct_tenant as ( select distinct tenant_id, subscription_id, _ctx from azure_tenant)select r.user_principal_name as resource, case when not (r.is_mfa_registered = true) then 'alarm' else 'ok' end as status, case when not (r.is_mfa_registered = true) then r.user_display_name || ' (' || r.user_principal_name || ') does not have multifactor authentication enabled.' else r.user_display_name || ' (' || r.user_principal_name || ') has multifactor authentication enabled.' end as reason, t.tenant_id from azuread_user_registration_details_report as r left join distinct_tenant as t on t.tenant_id = r.tenant_idwhere r.user_principal_name is not null;