Control: 1.2.6 Ensure Multi-factor Authentication is Required for Azure Management
Description
For designated users, they will be prompted to use their multi-factor authentication (MFA) process on logins.
Enabling multi-factor authentication is a recommended setting to limit the use of Administrative actions and to prevent intruders from changing settings.
Remediation
From Azure Portal
- From Azure Home select the Portal Menu and select
Azure Active Directory. - Scroll down in the menu on the left, and select
Security. - Select on the left side
Conditional Access. - Click the
+ New policy
Default Value
MFA is not enabled by default for administrative actions.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v150_1_2_6Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v150_1_2_6 --shareSQL
This control uses a named query:
with distinct_tenant as ( select distinct tenant_id, subscription_id, _ctx from azure_tenant)select p.id as resource, case when p.built_in_controls @> '["mfa"]' then 'ok' else 'alarm' end as status, case when p.built_in_controls @> '["mfa"]' then p.display_name || ' MFA enabled.' else p.display_name || ' MFA disabled.' end as reason, t.tenant_id from distinct_tenant as t, azuread_conditional_access_policy as p;