Detections
Analytics
1.1.1 Ensure multifactor authentication is enabled for all users in administrative roles
Warning! Audit Deprecated
This audit has been deprecated and will be removed in a future update.
View Next Audit VersionInformation
Enable multifactor authentication for all users who are members of administrative roles in the Microsoft 365 tenant. These include roles such as:Global Administrator
Billing Administrator
Exchange Administrator
SharePoint Administrator
Password Administrator
Skype for Business Administrator
Service Support Administrator
User Administrator
Dynamics 365 Service Administrator
Power BI Administrator
Rationale:
Multifactor authentication requires an individual to present a minimum of two separate forms of authentication before access is granted. Multifactor authentication provides additional assurance that the individual attempting to gain access is who they claim to be. With multifactor authentication, an attacker would need to compromise at least two different authentication mechanisms, increasing the difficulty of compromise and thus reducing the risk.
Impact:
Implementation of multifactor authentication for all users in administrative roles will necessitate a change to user routine. All users in administrative roles will be required to enroll in multifactor authentication using phone, SMS, or an authentication application. After enrollment, use of multifactor authentication will be required for future access to the environment.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
To enable multifactor authentication for administrators, use the Microsoft 365 Admin Center:Log in to https://admin.microsoft.com as a Global Administrator.
Go to Admin centers and click on Azure Active Directory.
Select Enterprise applications then, under Security, select Conditional Access.
Click New policy
Go to Assignments > Users and groups > Include > Select users and groups > check Directory roles.
At a minimum, select the following roles: Billing admin, Conditional Access admin, Exchange admin, Global admin, Helpdesk admin, Security admin, SharePoint admin, and User admin.
Go to Cloud apps or actions > Cloud apps > Include > select All cloud apps (and don't exclude any apps).
Under Access controls > Grant > select Grant access > check Require multi-factor authentication (and nothing else).
Leave all other conditions blank.
Make sure the policy is enabled.
Create.
See Also
Item Details
Audit Name: CIS Microsoft 365 Foundations E3 L1 v1.5.0
References: CSCv7|16.3
Plugin: microsoft_azure
Control ID: 2f6d18ad983c3c33ce0f020efb9915938000e2009857e22ab9338b0584b30fbb