Control: 5.1.2 Ensure that 'multifactor authentication' is 'enabled' for all users
Description
[IMPORTANT - Please read the section overview: If your organization pays for Microsoft Entra ID licensing (included in Microsoft 365 E3, E5, F5, or Business Premium, and EM&S E3 or E5 licenses) and CAN use Conditional Access, ignore the recommendations in this section and proceed to the Conditional Access section.]
Enable multifactor authentication for all users.
Note: Since 2024, Azure has been rolling out mandatory multifactor authentication. For more information:
- https://azure.microsoft.com/en-us/blog/announcing-mandatory-multi-factorauthentication-for-azure-sign-in
- https://learn.microsoft.com/en-us/entra/identity/authentication/conceptmandatory-multifactor-authentication
Remediation
Remediate from Azure Portal
- Go to
Microsoft Entra ID. - Under
Manage, clickUsers. - Click
Per-user MFAfrom the top menu. - Click the box next to a user with
Status disabled. - Click
Enable MFA. - Click
Enable. - Repeat steps 1-6 for each user requiring remediation.
Other options within Azure Portal
- https://learn.microsoft.com/en-us/entra/identity/authentication/tutorial-enableazure-mfa
- https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfamfasettings
- https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-oldrequire-mfa-admin
- https://learn.microsoft.com/en-us/entra/identity/authentication howto-mfagetstarted#enable-multi-factor-authentication-with-conditional-access
Default Value
Multifactor authentication is not enabled for all users by default. Starting in 2024, multifactor authentication is enabled for administrative accounts by default.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v500_5_1_2Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v500_5_1_2 --shareSQL
This control uses a named query:
with distinct_tenant as ( select distinct tenant_id, subscription_id, _ctx from azure_tenant)select r.user_principal_name as resource, case when not (r.is_mfa_registered = true) then 'alarm' else 'ok' end as status, case when not (r.is_mfa_registered = true) then r.user_display_name || ' (' || r.user_principal_name || ') does not have multifactor authentication enabled.' else r.user_display_name || ' (' || r.user_principal_name || ') has multifactor authentication enabled.' end as reason, t.tenant_id from azuread_user_registration_details_report as r left join distinct_tenant as t on t.tenant_id = r.tenant_idwhere r.user_principal_name is not null;