Detections
Analytics

5.2.2.1 (L1) Ensure multifactor authentication is enabled for all users in administrative roles

Information

Multifactor authentication is a process that requires an additional form of identification during the sign-in process, such as a code from a mobile device or a fingerprint scan, to enhance security.

Ensure users in administrator roles have MFA capabilities enabled.

Multifactor authentication requires an individual to present a minimum of two separate forms of authentication before access is granted. Multifactor authentication provides additional assurance that the individual attempting to gain access is who they claim to be. With multifactor authentication, an attacker would need to compromise at least two different authentication mechanisms, increasing the difficulty of compromise and thus reducing the risk.

Solution

To remediate using the UI:

 - Navigate to the Microsoft Entra admin center

https://entra.microsoft.com

.
 - Click expand Protection > Conditional Access select Policies
 - Click New policy
 - Under Users include Select users and groups and check Directory roles
 - At a minimum, include the directory roles listed below in this section of the document.
 - Under Target resources include All cloud apps and do not create any exclusions.
 - Under Grant select Grant Access and check Require multifactor authentication
 - Click Select at the bottom of the pane.

 - Under Enable policy set it to Report Only until the organization is ready to enable it.
 - Click Create

At minimum these directory roles should be included for MFA:

 - Application administrator
 - Authentication administrator
 - Billing administrator
 - Cloud application administrator
 - Conditional Access administrator
 - Exchange administrator
 - Global administrator
 - Global reader
 - Helpdesk administrator
 - Password administrator
 - Privileged authentication administrator
 - Privileged role administrator
 - Security administrator
 - SharePoint administrator
 - User administrator

Note: Report-only is an acceptable first stage when introducing any CA policy. The control, however, is not complete until the policy is on.

Impact:

Implementation of multifactor authentication for all users in administrative roles will necessitate a change to user routine. All users in administrative roles will be required to enroll in multifactor authentication using phone, SMS, or an authentication application. After enrollment, use of multifactor authentication will be required for future access to the environment.

See Also

https://workbench.cisecurity.org/benchmarks/17682

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-2(1), CSCv7|16.3

Plugin: microsoft_azure

Control ID: e0a8b2bd7b6bb7d0f505ea204c93d36a274af643528ff9534a6d924373c90594