turbot/steampipe-mod-azure-compliance

Control: 2.22 Ensure that 'Require Multi-Factor Authentication to register or join devices with Microsoft Entra ID' is set to 'Yes'

Description

NOTE: This recommendation is only relevant if your subscription is using Per-User MFA. If your organization is licensed to use Conditional Access, the preferred method of requiring MFA to join devices to Entra ID is to use a Conditional Access policy (see additional information below for link).

Joining or registering devices to Microsoft Entra ID should require multi-factor authentication.

Multi-factor authentication is recommended when adding devices to Microsoft Entra ID. When set to Yes, users who are adding devices from the internet must first use the second method of authentication before their device is successfully added to the directory. This ensures that rogue devices are not added to the domain using a compromised user account.

Remediation

From Azure Portal

  1. From Azure Home select the Portal Menu.
  2. Select Microsoft Entra ID.
  3. Under Manage, select Devices.
  4. Under Manage, select Device settings.
  5. Under Microsoft Entra join and registration settings, set Require Multifactor Authentication to register or join devices with Microsoft Entra to Yes.
  6. Click Save.

Default Value

By default, Require Multifactor Authentication to register or join devices with Microsoft Entra is set to No.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.cis_v300_2_22

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.cis_v300_2_22 --share

SQL

This control uses a named query:

select
'active_directory' as resource,
'info' as status,
'Manual verification required.' as reason;

Tags