Detections
Analytics

5.2.2.11 (L1) Ensure a managed device is required for MFA registration

Information

Conditional Access (CA) can be configured to enforce access based on the device's compliance status or whether it is Entra hybrid joined. Collectively this allows CA to classify devices as managed or not, providing more granular control over whether or not a user can register MFA on a device.

When using Require device to be marked as compliant the device must pass checks configured in Compliance policies defined within Intune (Endpoint Manager). Before these checks can be applied, the device must first be enrolled in Intune MDM.

By selecting Require Microsoft Entra hybrid joined device this means the device must first be synchronized from an on-premises Active Directory to qualify for authentication.

When configured to the recommended state below only one condition needs to be met for the user to register MFA from the device. This functions as an "OR" operator.

The recommended state is to restrict Register security information to a device that is marked as compliant or Entra hybrid joined.

Requiring registration on a managed device significantly reduces the risk of bad actors using stolen credentials to register security information. Accounts that are created but never registered with an MFA method are particularly vulnerable to this type of attack. Enforcing this requirement will both reduce the attack surface for fake registrations and ensure that legitimate users register using trusted devices which typically have additional security measures in place already.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

To remediate using the UI:

 - Navigate to the Microsoft Entra admin center

https://entra.microsoft.com

.
 - Click expand Protection > Conditional Access select Policies
 - Create a new policy by selecting New policy
 - Under Users include All users
 - Under Target resources select User actions and check Register security information
 - Under Grant select Grant access
 - Check Require multifactor authentication and Require Microsoft Entra hybrid joined device
 - Choose Require one of the selected controls and click Select at the bottom.

 - Under Enable policy set it to Report Only until the organization is ready to enable it.
 - Click Create

Impact:

The organization will be required to have a mature device management process. New devices provided to users will need to be pre-enrolled in Intune, auto-enrolled or be Entra hybrid joined. Otherwise, the user will be unable to complete registration, requiring additional resources from I.T. This could be more disruptive in remote worker environments where the MDM maturity is low.

In these cases where the person enrolling in MFA (enrollee) doesn't have physical access to a managed device, a help desk process can be created using a Teams meeting to complete enrollment using: 1) a durable process to verify the enrollee's identity including government identification with a photograph held up to the camera, information only the enrollee should know, and verification by the enrollee's direct manager in the same meeting; 2) complete enrollment in the same Teams meeting with the enrollee being granted screen and keyboard access to the help desk person's InPrivate Edge browser session.

See Also

https://workbench.cisecurity.org/benchmarks/17682

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-2(1), 800-53|IA-2(2)

Plugin: microsoft_azure

Control ID: dfecb0593df5fe858148dee24a07516b2f3e33be6d58fda4dc2c41b6cc6588b5