Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-microsoft365-compliance
Overview
6Dashboards
126Benchmarks
36Queries
2Variables
GitHub

Control: 1.1.2 Ensure multifactor authentication is enabled for all users in administrative roles

Description

Multi-factor authentication is a process that requires an additional form of identification during the sign-in process, such as a code from a mobile device or a fingerprint scan, to enhance security.

Ensure users in administrator roles have MFA capabilities enabled.

Multifactor authentication requires an individual to present a minimum of two separate forms of authentication before access is granted. Multifactor authentication provides additional assurance that the individual attempting to gain access is who they claim to be. With multifactor authentication, an attacker would need to compromise at least two different authentication mechanisms, increasing the difficulty of compromise and thus reducing the risk.

Remediation

To enable multifactor authentication for administrators:

  1. Navigate to the Microsoft Entra admin center https://entra.microsoft.com.
  2. Click expand Azure Active Directory > Applications select Enterprise Applications.
  3. Under Security, select Conditional Access.
  4. Click New policy.
  5. Go to Assignments > Users and groups > Include > Select users and groups > check Directory roles.
  6. At a minimum, select the Directory roles listed below in this section of the document.
  7. Go to Cloud apps or actions > Cloud apps > Include > select All cloud apps (and don't exclude any apps).
  8. Under Access controls > Grant > select Grant access > check Require multi-factor authentication (and nothing else).
  9. Leave all other conditions blank.
  10. Make sure the policy is enabled.
  11. Create.

At minimum these directory roles should be included for MFA:

  • Application administrator
  • Authentication administrator
  • Billing administrator
  • Cloud application administrator
  • Conditional Access administrator
  • Exchange administrator
  • Global administrator
  • Global reader
  • Helpdesk administrator
  • Password administrator
  • Privileged authentication administrator
  • Privileged role administrator
  • Security administrator
  • SharePoint administrator
  • User administrator

Usage

Run the control in your terminal:

powerpipe control run microsoft365_compliance.control.cis_v200_1_1_2

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run microsoft365_compliance.control.cis_v200_1_1_2 --share

SQL

This control uses a named query:

with users_having_admin_roles as (
  select
    array_agg(role_template_id) as rid
  from
    azuread_directory_role
  where
    display_name like '%Administrator'
),
policy_with_mfa as (
  select
    tenant_id,
    count(p.*)
  from
    azuread_conditional_access_policy as p,
    users_having_admin_roles as a
  where
    p.built_in_controls ?& array['mfa']
    and (p.users -> 'includeRoles')::jsonb ?| (a.rid)
    and jsonb_array_length(p.users -> 'excludeUsers') < 1
  group by
    tenant_id
),
tenant_list as (
  select
    distinct on (tenant_id) tenant_id,
    _ctx
  from
    azuread_user
)
select
  t.tenant_id as resource,
  case
    when (select count from policy_with_mfa where tenant_id = t.tenant_id) > 0 then 'ok'
    else 'alarm'
  end as status,
  case
    when (select count from policy_with_mfa where tenant_id = t.tenant_id) > 0 then t.tenant_id || ' has MFA enabled for all users in administrative roles.'
    else t.tenant_id || ' has MFA disabled for all users in administrative roles.'
  end as reason
  , t.tenant_id as tenant_id
from
  tenant_list as t;

Tags

category = Compliance
cis = true
cis_item_id = 1.1.2
cis_level = 1
cis_section_id = 1.1
cis_type = automated
cis_version = v2.0.0
microsoft_365_license = E3
plugin = microsoft365
service = Azure/ActiveDirectory