Missing MFA for Privileged Account

Multi-Factor Authentication (MFA), or previously Two-Factor Authentication (2FA), provides strong protection for accounts against weak or breached passwords. Security best practices and standards recommend that you enable MFA, especially with privileged accounts. When an attacker obtains a privileged user password by any method, MFA blocks authentication by requesting an additional factor such as a time-expiring code from a mobile application, a physical token, a biometric feature, etc.

This Indicator of Exposure alerts you when an account does not have a registered MFA method or if you enforce MFA without registering a method, which can allow attackers with a password to register their own MFA methods and create a security risk. However, this Indicator of Exposure cannot report on whether or not Microsoft Entra ID enforces MFA as Conditional Access Policies may require MFA depending on dynamic criteria.

See also the related IOE, "Missing MFA for Non-Privileged Account", for non-privileged accounts.

All reported privileged users must register MFA methods and have MFA enforced to increase their protection against password attacks.

For Microsoft Entra ID, Microsoft offers a Conditional Access Policy template called Require MFA for administrators. This policy prompts users to register an MFA method the first time they authenticate following MFA enforcement. We recommend that you follow the "Plan a Conditional Access deployment" Microsoft documentation.

Note that you should plan to have one or two privileged break glass accounts, using different MFA methods than the normal administrative accounts, as recommended by the "Manage emergency access accounts in Azure AD" Microsoft documentation.

Name: Missing MFA for Privileged Account

Codename: MISSING-MFA-FOR-PRIVILEGED-ACCOUNT

Severity: High