Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users
Multi-factor authentication requires an individual to present a minimum of two separate forms of authentication before access is granted. Multi-factor authentication provides additional assurance that the individual attempting to gain access is who they claim to be. With multi-factor authentication, an attacker would need to compromise at least two different authentication mechanisms, increasing the difficulty of compromise and thus reducing the risk.
Risk Level: High
Cloud Entity: Azure Active Directory
CloudGuard Rule ID: D9.AZU.IAM.46
Covered by Spectral: No
Category: Security, Identity, & Compliance
GSL LOGIC
User where assignedRoles contain [displayName regexMatch /.*Administrator|Creator|Global.*/] should have userCredentialRegistrationDetails.isRegisterWithMfa=true
REMEDIATION
From Portal
- From Azure Home, select the Portal Menu.
- Select the Azure Active Directory blade.
- Select 'Users'.
- Take note of all users with the role Service Co-Administrators, Owners or Contributors.
- Click on the Per-User MFA button in the top row menu.
- Ensure that 'MULTI-FACTOR AUTH STATUS' is Enabled for all noted users.
Note: Please note that at the time of writing, there is no API, Azure CLI or Powershell mechanism available to programmatically conduct security assessment or remediation for this recommendation.By default, multi-factor authentication is disabled for all users.
References
- https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks
- https://workbench.cisecurity.org/sections/1460902/recommendations/2349012
Azure Active Directory
Azure Active Directory (Azure AD) is Microsoft���s cloud-based identity and access management service, which helps your employees sign in and access resources in external resources and internal res
Compliance Frameworks
- AZU PCI-DSS 4.0
- Azure CIS Foundations v. 1.5.0
- Azure CIS Foundations v.2.0
- Azure CloudGuard Best Practices
- Azure Dashboard System Ruleset
- Azure NIST 800-53 Rev 5
- CloudGuard Azure All Rules Ruleset
Updated over 1 year ago