Control: 6.1.2 Ensure that 'multifactor authentication' is 'enabled' for all users

Description

[IMPORTANT - Please read the section overview: If your organization pays for Microsoft Entra ID licensing (included in Microsoft 365 E3, E5, F5, or Business Premium, and EM&S E3 or E5 licenses) and CAN use Conditional Access, ignore the recommendations in this section and proceed to the Conditional Access section.]

Enable multifactor authentication for all users.

Note: Since 2024, Azure has been rolling out mandatory multifactor authentication. For more information:

Multifactor authentication requires an individual to present a minimum of two separate forms of authentication before access is granted. Multifactor authentication provides additional assurance that the individual attempting to gain access is who they claim to be. With multifactor authentication, an attacker would need to compromise at least two different authentication mechanisms, increasing the difficulty of compromise and thus reducing the risk.

Remediation

From Azure Portal

Go to Microsoft Entra ID.
Under Manage, click Users.
Click Per-user MFA from the top menu.
Click the box next to a user with Status disabled.
Click Enable MFA.
Click Enable.
Repeat steps 1-6 for each user requiring remediation.

Other options within Azure Portal

Default Value

Multifactor authentication is not enabled for all users by default. Starting in 2024, multifactor authentication is enabled for administrative accounts by default.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.cis_v400_6_1_2

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.cis_v400_6_1_2 --share

SQL

This control uses a named query:

select
  id as resource,
  'info' as status,
  'Manual verification required.' as reason,
  display_name as subscription
from
  azure_subscription;