Powerpipe Detection Mods →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-microsoft365-compliance
Overview
5Dashboards
96Benchmarks
21Queries
2Variables
GitHub

Control: 5.2.2.2 Ensure multifactor authentication is enabled for all users

Description

Enable multifactor authentication for all users in the Microsoft 365 tenant. Users will be prompted to authenticate with a second factor upon logging in to Microsoft 365 services. The second factor is most commonly a text message to a registered mobile phone number where they type in an authorization code, or with a mobile application like Microsoft Authenticator.

Multifactor authentication requires an individual to present a minimum of two separate forms of authentication before access is granted. Multifactor authentication provides additional assurance that the individual attempting to gain access is who they claim to be. With multifactor authentication, an attacker would need to compromise at least two different authentication mechanisms, increasing the difficulty of compromise and thus reducing the risk.

Remediation

To remediate using the UI:

  1. Navigate to the Microsoft Entra admin center https://entra.microsoft.com.
  2. Click expand Protection > Conditional Access select Policies.
  3. Click New policy.
  • Under Users include All users (and do not exclude any user).
  • Under Target resources include All cloud apps and do not create any exclusions.
  • Under Grant select Grant Access and check Require multifactor authentication.
  • Click Select at the bottom of the pane.
  1. Under Enable policy set it to Report Only until the organization is ready to enable it.
  2. Click Create.

Note: Report-only is an acceptable first stage when introducing any CA policy. The control, however, is not complete until the policy is on.

Default Value

Disabled

Usage

Run the control in your terminal:

powerpipe control run microsoft365_compliance.control.cis_v400_5_2_2_2

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run microsoft365_compliance.control.cis_v400_5_2_2_2 --share

SQL

This control uses a named query:

with users_having_admin_roles as (
  select
    array_agg(role_template_id) as rid
  from
    azuread_directory_role
),
policy_with_mfa as (
  select
    tenant_id,
    count(p.*)
  from
    azuread_conditional_access_policy as p,
    users_having_admin_roles as a
  where
    p.built_in_controls ?& array['mfa']
    and (p.users -> 'includeRoles')::jsonb ?| (a.rid)
    and jsonb_array_length(p.users -> 'excludeUsers') < 1
  group by
    tenant_id
),
tenant_list as (
  select
    distinct on (tenant_id) tenant_id,
    _ctx,
    id,
    display_name
  from
    azuread_user
)
select
  t.tenant_id as resource,
  case
    when (select count from policy_with_mfa where tenant_id = t.tenant_id) > 0 then 'ok'
    else 'alarm'
  end as status,
  case
    when (select count from policy_with_mfa where tenant_id = t.tenant_id) > 0 then t.tenant_id || ' has MFA enabled for all users.'
    else t.tenant_id || ' has MFA disabled for all users.'
  end as reason
  , t.tenant_id as tenant_id
from
  tenant_list as t;

Tags

category = Compliance
cis = true
cis_item_id = 5.2.2.2
cis_level = 1
cis_section_id = 5.2.2
cis_type = manual
cis_version = v4.0.0
microsoft_365_license = E3
plugin = microsoft365
service = Azure/ActiveDirectory