Detections
Analytics
5.2.2.1 Ensure multifactor authentication is enabled for all users in administrative roles
Information
Multi-factor authentication is a process that requires an additional form of identification during the sign-in process, such as a code from a mobile device or a fingerprint scan, to enhance security.Ensure users in administrator roles have MFA capabilities enabled.
Rationale:
Multifactor authentication requires an individual to present a minimum of two separate forms of authentication before access is granted. Multifactor authentication provides additional assurance that the individual attempting to gain access is who they claim to be. With multifactor authentication, an attacker would need to compromise at least two different authentication mechanisms, increasing the difficulty of compromise and thus reducing the risk.
Impact:
Implementation of multifactor authentication for all users in administrative roles will necessitate a change to user routine. All users in administrative roles will be required to enroll in multifactor authentication using phone, SMS, or an authentication application. After enrollment, use of multifactor authentication will be required for future access to the environment.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
To enable multifactor authentication for administrators:Navigate to the Microsoft Entra admin center https://entra.microsoft.com.
Click expand Protection > Conditional Access select Policies.
Click New policy.
Go to Assignments > Users and groups > Include > Select users and groups > check Directory roles.
At a minimum, select the Directory roles listed below in this section of the document.
Go to Cloud apps or actions > Cloud apps > Include > select All cloud apps (and don't exclude any apps).
Under Access controls > Grant > select Grant access > check Require multi-factor authentication (and nothing else).
Leave all other conditions blank.
Make sure the policy is enabled.
Create.
At minimum these directory roles should be included for MFA:
Application administrator
Authentication administrator
Billing administrator
Cloud application administrator
Conditional Access administrator
Exchange administrator
Global administrator
Global reader
Helpdesk administrator
Password administrator
Privileged authentication administrator
Privileged role administrator
Security administrator
SharePoint administrator
User administrator
See Also
Item Details
Audit Name: CIS Microsoft 365 Foundations E3 L1 v3.0.0
Category: IDENTIFICATION AND AUTHENTICATION
References: 800-53|IA-2(1), CSCv7|16.3
Plugin: microsoft_azure
Control ID: f927db86628eb56b82afb34d95efa71fb9aee1c02384cb26fbea83436a7898d2