Detections
Analytics

5.2.2.2 (L1) Ensure multifactor authentication is enabled for all users

Information

Enable multifactor authentication for all users in the Microsoft 365 tenant. Users will be prompted to authenticate with a second factor upon logging in to Microsoft 365 services. The second factor is most commonly a text message to a registered mobile phone number where they type in an authorization code, or with a mobile application like Microsoft Authenticator.

Multifactor authentication requires an individual to present a minimum of two separate forms of authentication before access is granted. Multifactor authentication provides additional assurance that the individual attempting to gain access is who they claim to be. With multifactor authentication, an attacker would need to compromise at least two different authentication mechanisms, increasing the difficulty of compromise and thus reducing the risk.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

To remediate using the UI:

 - Navigate to the Microsoft Entra admin center

https://entra.microsoft.com

.
 - Click expand Protection > Conditional Access select Policies
 - Click New policy
 - Under Users include All users
 - Under Target resources include All resources (formerly 'All cloud apps') and do not create any exclusions.
 - Under Grant select Grant Access and check either Require multifactor authentication or Require authentication strength
 - Click Select at the bottom of the pane.

 - Under Enable policy set it to Report-only until the organization is ready to enable it.
 - Click Create

Note: Break-glass accounts should be excluded from all Conditional Access policies.

Impact:

Implementation of multifactor authentication for all users will necessitate a change to user routine. All users will be required to enroll in multifactor authentication using phone, SMS, or an authentication application. After enrollment, use of multifactor authentication will be required for future authentication to the environment.

External identities that attempt to access documents that utilize Purview Information Protection (Sensitivity Labels) will find their access disrupted. In order to mitigate this create an exclusion for Microsoft Rights Management Services ID: 00000012-0000-0000-c000-000000000000

Note: Organizations that struggle to enforce MFA globally due to budget constraints preventing the provision of company-owned mobile devices to every user, or due to regulations, unions, or policies that prevent forcing end users to use their personal devices, have another option. FIDO2 security keys can be used as an alternative. They are more secure, phishing-resistant, and affordable for organizations to issue to every end user.

See Also

https://workbench.cisecurity.org/benchmarks/20006

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-2(1), 800-53|IA-2(2), CSCv7|16.3

Plugin: microsoft_azure

Control ID: 040cd43976c013052ee4d2d9f3f6c76307a0a349e94428f2cb85456584ba5392