Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-azure-compliance
Overview
16Dashboards
1651Benchmarks
486Queries
8Variables
GitHub

Control: 5.1.2 Ensure that 'multifactor authentication' is 'enabled' for all users

Description

[IMPORTANT - Please read the section overview: If your organization pays for Microsoft Entra ID licensing (included in Microsoft 365 E3, E5, F5, or Business Premium, and EM&S E3 or E5 licenses) and CAN use Conditional Access, ignore the recommendations in this section and proceed to the Conditional Access section.]

Enable multifactor authentication for all users.

Note: Since 2024, Azure has been rolling out mandatory multifactor authentication. For more information:

Remediation

Remediate from Azure Portal

  1. Go to Microsoft Entra ID.
  2. Under Manage, click Users.
  3. Click Per-user MFA from the top menu.
  4. Click the box next to a user with Status disabled.
  5. Click Enable MFA.
  6. Click Enable.
  7. Repeat steps 1-6 for each user requiring remediation.

Other options within Azure Portal

Default Value

Multifactor authentication is not enabled for all users by default. Starting in 2024, multifactor authentication is enabled for administrative accounts by default.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.cis_v500_5_1_2

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.cis_v500_5_1_2 --share

SQL

This control uses a named query:

select
  id as resource,
  'info' as status,
  'Manual verification required.' as reason,
  display_name as subscription
from
  azure_subscription;

Tags

category = Compliance
cis = true
cis_item_id = 5.1.2
cis_level = 1
cis_section_id = 5.1
cis_type = automated
cis_version = v5.0.0
plugin = azure
service = Azure