Control: 5.2.4 Ensure that a multifactor authentication policy exists for all users
Description
A Conditional Access policy can be enabled to ensure that users are required to use Multifactor Authentication (MFA) to login.
Note: Since 2024, Azure has been rolling out mandatory multifactor authentication. For more information:
- https://azure.microsoft.com/en-us/blog/announcing-mandatory-multi-factorauthentication-for-azure-sign-in
- https://learn.microsoft.com/en-us/entra/identity/authentication/conceptmandatory-multifactor-authentication
Remediation
Remediate from Azure Portal
- From Azure Home open Portal menu in the top left, and select
Microsoft Entra ID. - Select
Security. - Select
Conditional Access. - Select
Policies. - Click
+ New policy. - Enter a name for the policy.
- Click the blue text under
Users. - Under
Include, selectAll users. - Under
Exclude, check Users and groups. - Select users this policy should not apply to and click
Select. - Click the blue text under
Target resources. - Select
All cloud apps. - Click the blue text under
Grant. - Under
Grant access, checkRequire multifactor authenticationand clickSelect. - Set
Enable policytoReport-only. - Click
Create.
After testing the policy in report-only mode, update the Enable policy setting from Report-only to On.
Default Value
Starting October 2024, MFA will be required for all accounts by default.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v500_5_2_4Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v500_5_2_4 --shareSQL
This control uses a named query:
with role_template_ids as ( select array_agg(role_template_id) as rid from azuread_directory_role),policy_with_mfa as ( select tenant_id, count(p.*) from azuread_conditional_access_policy as p, role_template_ids as a where p.built_in_controls ?& array['mfa'] and (p.users -> 'includeRoles')::jsonb ?| (a.rid) and jsonb_array_length(p.users -> 'excludeUsers') < 1 group by tenant_id),tenant_list as ( select distinct tenant_id, subscription_id, _ctx from azure_tenant)select t.tenant_id as resource, case when (select count from policy_with_mfa where tenant_id = t.tenant_id) > 0 then 'ok' else 'alarm' end as status, case when (select count from policy_with_mfa where tenant_id = t.tenant_id) > 0 then t.tenant_id || ' has MFA enabled for all users.' else t.tenant_id || ' has MFA disabled for all users.' end as reason, t.tenant_id from tenant_list as t;