Ensure administrators have multi-factor authentication enabled

Overview

Users with administrative rights are targeted by attackers. Requiring multi-factor authentication (MFA) on those accounts is an easy way to reduce the risk of those accounts being compromised.

Multi-factor authentication (MFA) is an important tool in protecting corporate resources. MFA, also called 2-step verification (2SV), requires users to verify their identity through something they know (such as a password) plus something they have (such as a physical key or access code)

Remediation guidance

Depending on the provider and the service you use, check out the following resources:

Service-wide remediation

Recommended when many resources are affected: fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.

AWS

Use AWS Organizations guardrails, AWS Config rules or conformance packs where they fit, approved account baselines, and IaC modules so new resources inherit the secure setting.

Alibaba Cloud

Use Resource Directory guardrails, account baselines, and IaC modules so the secure setting is applied consistently across environments.

Azure

Use management group or subscription Azure Policy assignments, remediation tasks where supported, landing-zone standards, and IaC modules so drift is prevented at scale.

Okta

Use tenant-wide sign-on policies, MFA policies, admin-role governance, and identity lifecycle automation so the control is enforced centrally.

Google Workspace

Use organization-wide admin settings, security baselines, and delegated admin governance so the control is enforced centrally.

Google Cloud

Use organization or folder policies where available, shared project templates, logs and alerting baselines, and IaC modules so new resources inherit the secure setting.

Microsoft Entra ID

Use tenant-wide Conditional Access, role settings, authentication policies, and identity governance baselines so the control is enforced centrally.

Operational rollout

Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
Re-scan and track approved exceptions with an owner and expiry date.

Query logic

These are the stored checks tied to this control.

Alibaba & AWS Admins Without MFA

Connectors

Alibaba CloudAWS

Covered asset types

IAMUser

Expected check: eq []

{
  iamUsers(where: {
    cloudProvider_IN: ["alibaba", "aws"],
    OR: [
      {
        iamPolicies_SOME: {
          OR: [{
            internalName_CONTAINS: "Administrator"  
          }, {
            internalName_CONTAINS: "FullAccess"  
          }]
        }
      },
      {
        hasIAMGroup_SOME: {
          iamPolicies_SOME: {
            OR: [{
              internalName_CONTAINS: "Administrator"  
            }, {
              internalName_CONTAINS: "FullAccess"  
            }]
          }
        }
      }
    ],
    mfaSerialNumbers: []
  }) {
    ...AssetFragment
  }
}

Entra users with privileged Azure assignmnets

Connectors

Microsoft Azure

Covered asset types

User

Expected check: eq []

{
  users(
    where: {
      mfaActive: false
      OR: [
        {
          iamRoleAssignments_SOME: {
            OR: [
              { internalName_IN: ["Owner", "Contributor"] }
              { isClassicAdministratorAssignment: true }
            ]
          }
        }
        {
          groups_SOME: {
            iamRoleAssignments_SOME: {
              OR: [
                { internalName_IN: ["Owner", "Contributor"] }
                { isClassicAdministratorAssignment: true }
              ]
            }
          }
        }
      ]
    }
  ) {
    ...AssetFragment
  }
}

Okta Admins Without MFA

Connectors

Okta

Covered asset types

User

Expected check: eq []

{
  users(
    where: {
      applications_SOME: {
        name: "Okta Admin Console"
        hasPolicy_SOME: { mfaEnabled: false }
      }
      OR: [
        { roles_INCLUDES: "Super Administrator" }
        { roles_INCLUDES: "API Access Management Administrator" }
        { roles_INCLUDES: "Application Administrator" }
        { roles_INCLUDES: "Group Membership Administrator" }
        { roles_INCLUDES: "Help Desk Administrator" }
        { roles_INCLUDES: "Mobile Administrator" }
        { roles_INCLUDES: "Organizational Administrator" }
        { roles_INCLUDES: "Read-only Administrator" }
        { roles_INCLUDES: "Report Administrator" }
        { roles_INCLUDES: "Group Administrator" }
      ]
    }
  ) {
    ...AssetFragment
  }
}

Google Workspace Admins without MFA

Connectors

Google Workspace

Covered asset types

User

Expected check: eq []

{
  users(where: { isAdmin: true, NOT: { isEnrolledIn2Sv: true } }) {
    ...AssetFragment
  }
}

Google Cloud Admins Without MFA

Connectors

Google Cloud

Covered asset types

IAMUser

Expected check: eq []

{
  iamUsers(
    where: {
      hasIAMRole_SOME: {
        OR: [
          { name_IN: ["roles/owner", "roles/editor"] }
          { name_CONTAINS: "admin" }
        ]
      }
      NOT: { user: { isEnrolledIn2Sv: true } }
    }
  ) {
    ...AssetFragment
  }
}

Entra admins without MFA

Connectors

Microsoft Entra ID

Covered asset types

User

Expected check: eq []

{
  users(where: { cloudProvider: "entra", isAdmin: true, mfaActive: false }) {
    ...AssetFragment
  }
}

Ensure administrators have multi-factor authentication enabled

Overview

Remediation guidance

AWS

Azure/Entra ID

Google Cloud/Workspace

Alibaba

Okta

Service-wide remediation

AWS

Alibaba Cloud

Azure

Okta

Google Workspace

Google Cloud

Microsoft Entra ID

Operational rollout

Query logic

Platform

Use Cases

Industries

Compare

Resources

Company