Ensure multifactor authentication is enabled for all users in administrative roles


Multi-factor authentication is a process that requires an additional form of identification during the sign-in process, such as a code from a mobile device or a fingerprint scan, to enhance security.

Ensure users in administrator roles have MFA capabilities enabled.


Multifactor authentication requires an individual to present a minimum of two separate forms of authentication before access is granted. Multifactor authentication provides additional assurance that the individual attempting to gain access is who they claim to be. With multifactor authentication, an attacker would need to compromise at least two different authentication mechanisms, increasing the difficulty of compromise and thus reducing the risk.


Implementation of multifactor authentication for all users in administrative roles will necessitate a change to user routine. All users in administrative roles will be required to enroll in multifactor authentication using phone, SMS, or an authentication application. After enrollment, use of multifactor authentication will be required for future access to the environment.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.


To enable multifactor authentication for administrators:

Navigate to the Microsoft Entra admin center https://entra.microsoft.com.

Click expand Protection > Conditional Access select Policies.

Click New policy.

Go to Assignments > Users and groups > Include > Select users and groups > check Directory roles.

At a minimum, select the Directory roles listed below in this section of the document.

Go to Cloud apps or actions > Cloud apps > Include > select All cloud apps (and don't exclude any apps).

Under Access controls > Grant > select Grant access > check Require multi-factor authentication (and nothing else).

Leave all other conditions blank.

Make sure the policy is enabled.


At minimum these directory roles should be included for MFA:

Application administrator

Authentication administrator

Billing administrator

Cloud application administrator

Conditional Access administrator

Exchange administrator

Global administrator

Global reader

Helpdesk administrator

Password administrator

Privileged authentication administrator

Privileged role administrator

Security administrator

SharePoint administrator

User administrator

See Also


Item Details


References: 800-53|IA-2(1), CSCv7|16.3

Plugin: microsoft_azure

Control ID: f927db86628eb56b82afb34d95efa71fb9aee1c02384cb26fbea83436a7898d2