Control: 5.2.3.4 Ensure all member users are 'MFA capable'
Description
Microsoft defines Multifactor authentication capable as being registered and enabled for a strong authentication method. The method must also be allowed by the authentication methods policy.
Ensure all member users are MFA capable.
Remediation
Remediation steps will depend on the status of the personnel in question or configuration of Conditional Access policies and will not be covered in detail. Administrators should review each user identified on a case-by-case basis using the conditions below.
User has never signed on:
- Employment status should be reviewed, and appropriate action taken on the user account's roles, licensing and enablement.
Conditional Access policy applicability:
- Ensure a CA policy is in place requiring all users to use MFA.
- Ensure the user is not excluded from the CA MFA policy.
- Ensure the policy's state is set to
On. - Use
What ifto determine applicable CA policies. (Protection > Conditional Access > Policies) - Review the user account in Sign-in logs. Under the
Activity Detailspane click theConditional Accesstab to view applied policies.`
Note: Conditional Access is covered step by step in section 5.2.2
Usage
Run the control in your terminal:
powerpipe control run microsoft365_compliance.control.cis_v500_5_2_3_4Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run microsoft365_compliance.control.cis_v500_5_2_3_4 --shareSQL
This control uses a named query:
select id as resource, case when is_mfa_capable then 'ok' else 'alarm' end as status, case when is_mfa_capable then title || ' is MFA capable.' else title || ' is not MFA capable.' end as reason , tenant_id as tenant_idfrom microsoft365_user;