Detections
Analytics

5.2.2.5 (L2) Ensure 'Phishing-resistant MFA strength' is required for Administrators

Information

Authentication strength is a Conditional Access control that allows administrators to specify which combination of authentication methods can be used to access a resource. For example, they can make only phishing-resistant authentication methods available to access a sensitive resource. But to access a non-sensitive resource, they can allow less secure multifactor authentication (MFA) combinations, such as password + SMS.

Microsoft has 3 built-in authentication strengths. MFA strength, Passwordless MFA strength, and Phishing-resistant MFA strength. Ensure administrator roles are using a CA policy with Phishing-resistant MFA strength

Administrators can then enroll using one of 3 methods:

 - FIDO2 Security Key
 - Windows Hello for Business
 - Certificate-based authentication (Multi-Factor)

Note: Additional steps to configure methods such as FIDO2 keys are not covered here but can be found in related MS articles in the references section. The Conditional Access policy only ensures 1 of the 3 methods is used.

Warning: Administrators should be pre-registered for a strong authentication mechanism before this Conditional Access Policy is enforced. Additionally, as stated elsewhere in the CIS Benchmark a break-glass administrator account should be excluded from this policy to ensure unfettered access in the case of an emergency.

Sophisticated attacks targeting MFA are more prevalent as the use of it becomes more widespread. These 3 methods are considered phishing-resistant as they remove passwords from the login workflow. It also ensures that public/private key exchange can only happen between the devices and a registered provider which prevents login to fake or phishing websites.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

To remediate using the UI:

 - Navigate to the Microsoft Entra admin center

https://entra.microsoft.com

.
 - Click expand Protection > Conditional Access select Policies
 - Click New policy
 - Under Users include Select users and groups and check Directory roles
 - At a minimum, include the directory roles listed below in this section of the document.
 - Under Target resources include All cloud apps and do not create any exclusions.
 - Under Grant select Grant Access and check Require authentication strength and set Phishing-resistant MFA in the dropdown box.
 - Click Select

 - Under Enable policy set it to Report Only until the organization is ready to enable it.
 - Click Create

At minimum these directory roles should be included for the policy:

 - Application administrator
 - Authentication administrator
 - Billing administrator
 - Cloud application administrator
 - Conditional Access administrator
 - Exchange administrator
 - Global administrator
 - Global reader
 - Helpdesk administrator
 - Password administrator
 - Privileged authentication administrator
 - Privileged role administrator
 - Security administrator
 - SharePoint administrator
 - User administrator

Warning: Ensure administrators are pre-registered with strong authentication before enforcing the policy. After which the policy must be set to On

Impact:

If administrators aren't pre-registered for a strong authentication method prior to a conditional access policy being created, then a condition could occur where a user can't register for strong authentication because they don't meet the conditional access policy requirements and therefore are prevented from signing in.

Additionally, Internet Explorer based credential prompts in PowerShell do not support prompting for a security key. Implementing phishing-resistant MFA with a security key may prevent admins from running their existing sets of PowerShell scripts. Device Authorization Grant Flow can be used as a workaround in some instances.

See Also

https://workbench.cisecurity.org/benchmarks/17682

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-2(1)

Plugin: microsoft_azure

Control ID: a9067cd9fd913d64dc38ac07028be6368118e4bd65acf0b7e12dc3419618ae95