1.1.2 Ensure multifactor authentication is enabled for all users in all roles

Information

Enable multifactor authentication for all users in the Microsoft 365 tenant. Users will be prompted to authenticate with a second factor upon logging in to Microsoft 365 services. The second factor is most commonly a text message to a registered mobile phone number where they type in an authorization code, or with a mobile application like Microsoft Authenticator.

Rationale:

Multifactor authentication requires an individual to present a minimum of two separate forms of authentication before access is granted. Multifactor authentication provides additional assurance that the individual attempting to gain access is who they claim to be. With multifactor authentication, an attacker would need to compromise at least two different authentication mechanisms, increasing the difficulty of compromise and thus reducing the risk.

Impact:

Implementation of multifactor authentication for all users will necessitate a change to user routine. All users will be required to enroll in multifactor authentication using using phone, SMS, or an authentication application. After enrollment, use of multifactor authentication will be required for future authentication to the environment.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

To enable multifactor authentication for all users, use the Microsoft 365 Admin Center:

Log in to https://admin.microsoft.com as a Global Administrator.

Go to Admin centers and click on Azure Active Directory.

Select Enterprise applications then, under Security, select Conditional Access.

Click New policy

Select Cloud apps or actions > All cloud apps (and don't exclude any apps)

Go to Assignments > Users and groups > Include > select All users (and do not exclude any user).

Access Controls > Grant > Require multi-factor authentication (and nothing else)

Conditions > Client Apps > Configure (Yes) > Explicitly select Browser, Mobile apps and desktop clients, Modern authentication clients, Exchange ActiveSync clients, and Other clients

Leave all other conditions blank

Make sure the policy is enabled

Create

Default Value:

Disabled

See Also

https://workbench.cisecurity.org/files/3729

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-2(1), 800-53|IA-2(2), CSCv7|16.3

Plugin: microsoft_azure

Control ID: 5206f948755aa1d069380374f922c7daf6736d87263727bceae8e26029d828c4