
Control: 1.1.3 Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users


Enable multi-factor authentication for all non-privileged users.

Multi-factor authentication requires an individual to present a minimum of two separate forms of authentication before access is granted. Multi-factor authentication provides additional assurance that the individual attempting to gain access is who they claim to be. With multi-factor authentication, an attacker would need to compromise at least two different authentication mechanisms, increasing the difficulty of compromise and thus reducing the risk.


From Azure Portal

  1. From Azure Home select the Portal Menu.
  2. Select the Azure Active Directory blade.
  3. Then Users.
  4. Select All Users.
  5. Click on Per-User MFA button on the top bar.
  6. Ensure that for all users MULTI-FACTOR AUTH STATUS is Enabled.

Follow Microsoft Azure documentation and enable multi-factor authentication in your environment.


Enabling and configuring MFA is a multi-step process. Here are some additional resources on the process within Azure AD:

Default Value

By default, multi-factor authentication is disabled for all users.


Run the control in your terminal:

powerpipe control run azure_compliance.control.cis_v200_1_1_3

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.cis_v200_1_1_3 --share


This control uses a named query:

'active_directory' as resource,
'info' as status,
'Manual verification required.' as reason;
