Managed Devices Not Required for MFA Registration

Allowing Multi-Factor Authentication (MFA) registration from any device, regardless of its management or compliance status, creates a serious security risk. If an attacker compromises a user’s credentials, they could register their own MFA factor from an unmanaged device. This would bypass MFA’s protection, giving the attacker control of the second authentication factor and enabling unauthorized access to sensitive resources, potentially leading to a full account takeover.

The zero trust model allows critical actions like MFA registration only from trusted and compliant devices. Limiting MFA registration to managed devices ensures that the device enabling this key security feature meets the organization’s standards. This greatly lowers the risk of an attacker with stolen credentials enrolling a malicious MFA.

The MS.AAD.3.8v1 policy from the CISA "M365 Secure Configuration Baseline for Microsoft Entra ID," mandated by BOD 25-01, specifically requires that "Managed devices SHOULD be required to register MFA."

Following CISA guidance, this Indicator of Exposure (IoE) ensures at least one Conditional Access Policy is enabled to authorize only managed devices for MFA registration with the following settings:

• "Users" set to include "All users".
• "Target resources" set to "User actions" and select "Register security information".
• "Grant" set to "Grant access" with "Require device to be marked as compliant" and "Require Microsoft Entra hybrid joined device" options selected, with "Require one of the selected controls" selected at the bottom.
• "Enable policy" set to "On" (not "Off" or "Report-only").

An enabled Conditional Access Policy (CAP) must exist for the tenant to block Multi-Factor Authentication (MFA) registration from unmanaged devices.

To mitigate this risk, CISA (through the MS.AAD.3.8v1 policy in the "M365 Secure Configuration Baseline for Microsoft Entra ID"), mandated by BOD 25-01, defines managed devices as those either compliant or hybrid joined.

To do this, you can create a CAP as follows:

• Modify an existing CAP by applying the settings specified in this IoE's description.
• Create a dedicated CAP and configure it according to the specifications in the IoE's description.

Note: the "Require device to be marked as compliant" grant control requires that your organization use the Intune MDM.

Caution: Both Microsoft and Tenable recommend that you exclude certain accounts from Conditional Access policies to prevent tenant-wide account lockout and undesired side effects. Tenable also recommends that you follow the Microsoft documentation "Plan a Conditional Access deployment" to ensure proper planning and change management, as well as mitigate the risk of locking yourself out. In particular, if you use hybrid identity solutions like Microsoft Entra Connect or Microsoft Entra Cloud Sync, you must exclude their service account from the policy because it cannot comply with it. Use the "Exclude users" action and either exclude the service account(s) directly, or check the "Directory roles" option and select the "Directory Synchronization Accounts" role.

Name: Managed Devices Not Required for MFA Registration

Codename: MANAGED-DEVICES-NOT-REQUIRED-FOR-MFA-REGISTRATION

Severity: Medium

Type: Microsoft Entra ID Indicator of Exposure