5.2.3.6 (L1) Ensure system-preferred multifactor authentication is enabled

Information

System-preferred multifactor authentication (MFA) prompts users to sign in by using the most secure method they registered.

The user is prompted to sign-in with the most secure method according to the below order. The order of authentication methods is dynamic. It's updated by Microsoft as the security landscape changes, and as better authentication methods emerge.

- Temporary Access Pass
- Passkey (FIDO2)
- Microsoft Authenticator notifications
- External authentication methods
- Time-based one-time password (TOTP)
- Telephony
- Certificate-based authentication

The recommended state is Enabled

Regardless of the authentication method enabled by an administrator or set as preferred by the user, the system will dynamically select the most secure option available at the time of authentication. This approach acts as an additional safeguard to prevent the use of weaker methods, such as voice calls, SMS, and email OTPs, which may have been inadvertently left enabled due to misconfiguration or lack of configuration hardening.

Enforcing the default behavior also ensures the feature is not disabled.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

To remediate using the UI:

- Navigate to Microsoft Entra admin center

https://entra.microsoft.com/

.
- Click to expand Protection select Authentication methods
- Select Settings
- Set the System-preferred multifactor authentication State to Enabled and include All users
- Any users exclusions should be documented and reviewed annually.

Impact:

The Microsoft managed value of system-preferred MFA is Enabled and as such enforces the default behavior. No additional impact is expected.

Note: Due to known issues with certificate-based authentication (CBA) and system-preferred MFA, Microsoft moved CBA to the bottom of the list. It is still considered a strong authentication method.

See Also

https://workbench.cisecurity.org/benchmarks/20006

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-2(1), 800-53|IA-2(2)

Plugin: microsoft_azure

Control ID: 5a72e667dd0c04ec453820c4845a1c45ad08656149f09eabbe176753f3ac8d6a