Control: 2.2.6 Ensure Multi-factor Authentication is Required for Risky Sign-ins
Description
Entra ID tracks the behavior of sign-in events. If the Entra ID domain is licensed with P2, the sign-in behavior can be used as a detection mechanism for additional scrutiny during the sign-in event. If this policy is set up, then Risky Sign-in events will prompt users to use multi-factor authentication (MFA) tokens on login for additional verification.
Enabling multi-factor authentication is a recommended setting to limit the potential of accounts being compromised and limiting access to authenticated personnel. Enabling this policy allows Entra ID's risk-detection mechanisms to force additional scrutiny on the login event, providing a deterrent response to potentially malicious sign-in events, and adding an additional authentication layer as a reaction to potentially malicious behavior.
Remediation
From Azure Portal
- From Azure Home select the Portal Menu in the top left and select
Microsoft Entra ID
. - Select
Security
. - Select
Conditional Access
. - Select
Policies
. - Click
+ New policy
. - Enter a name for the policy.
- Click the blue text under
Users
. - Under
Include
, selectAll users
. - Under
Exclude
, checkUsers and groups
. - Select users this policy should not apply to and click
Select
. - Click the blue text under
Target resources
. - Select
All cloud apps
. - Click the blue text under
Conditions
. - Select
Sign-in risk
. - Update the
Configure
toggle toYes
. - Check the sign-in risk level this policy should apply to, e.g.
High
andMedium
. - Select
Done
. - Click the blue text under
Grant
and checkRequire multifactor authentication
then click theSelect
button. - Click the blue text under
Session
then checkSign-in frequency
and selectEvery time
and click theSelect
button. - Set
Enable policy
toReport-only
. - Click
Create
.
After testing the policy in report-only mode, update the Enable policy
setting from Report-only
to On
.
Default Value
MFA is not enabled by default.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v300_2_2_6
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v300_2_2_6 --share
SQL
This control uses a named query:
select 'active_directory' as resource, 'info' as status, 'Manual verification required.' as reason;