Control: 6.2.4 Ensure that a multifactor authentication policy exists for all users
Description
A Conditional Access policy can be enabled to ensure that users are required to use Multifactor Authentication (MFA) to login.
Note: Since 2024, Azure has been rolling out mandatory multifactor authentication. For more information:
- https://azure.microsoft.com/en-us/blog/announcing-mandatory-multi-factor-authentication-for-azure-sign-in
- https://learn.microsoft.com/en-us/entra/identity/authentication/concept-mandatory-multifactor-authentication
Multifactor authentication is strongly recommended to increase the confidence that a claimed identity can be proven to be the subject of the identity. This results in a stronger authentication chain and reduced likelihood of exploitation.
Remediation
From Azure Portal
- From Azure Home open Portal menu in the top left, and select
Microsoft Entra ID. - Select
Security. - Select
Conditional Access. - Select
Policies. - Click
+ New policy. - Enter a name for the policy.
- Click the blue text under
Users. - Under
Include, selectAll users. - Under
Exclude, checkUsers and groups. - Select users this policy should not apply to and click
Select. - Click the blue text under
Target resources. - Select
All cloud apps. - Click the blue text under
Grant. - Under
Grant access, checkRequire multifactor authenticationand clickSelect. - Set
Enable policytoReport-only. - Click
Create.
After testing the policy in report-only mode, update the Enable policy setting from Report-only to On.
Default Value
Starting October 2024, MFA will be required for all accounts by default.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v400_6_2_4Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v400_6_2_4 --shareSQL
This control uses a named query:
select id as resource, 'info' as status, 'Manual verification required.' as reason, display_name as subscriptionfrom azure_subscription;