Ensure only MFA enabled identities can access privileged Virtual Machine

Overview

Verify identities without MFA that can log in to a privileged virtual machine using separate login credentials. An adversary can leverage the access to move laterally and perform actions with the virtual machine's managed identity. Ensure the virtual machine only has necessary permissions, and revoke the admin-level permissions according to the least privileges principle.

Rationale

Integrating multi-factor authentication (MFA) as part of organizational policy can greatly reduce the risk of an identity gaining control of valid credentials that may be used for additional tactics such as initial access, lateral movement, and information collection. MFA can also be used to restrict access to cloud resources and APIs.

An Adversary may log into accessible cloud services within a compromised environment using Valid Accounts that are synchronized to move laterally and perform actions with the virtual machine's managed identity. The adversary may perform management actions or access cloud-hosted resources as the logged-on managed identity.

Impact

This recommendation requires Entra ID P2.

Ensure that identities provisioned to a virtual machine utilize an RBAC/ABAC group and are allocated a role using Azure PIM. The Role settings require MFA or another third-party PAM solution for accessing Virtual Machines.

Remediation guidance

Remediate from Azure Portal

Log in to the Azure portal.
This can be remediated by enabling MFA for users, Removing user access, or Reducing access to managed identities attached to virtual machines.

Case I: Enable MFA for users having access to virtual machines.
1. Navigate to Entra ID from the left pane and select Users from the Manage section.
2. Click on Per-User MFA from the top menu options and select each user with MULTI-FACTOR AUTH STATUS as Disabled and can log in to virtual machines:
  - From quick steps on the right side, select enable.
  - Click on enable multi-factor auth and share the link with the user to set up MFA as required.
Case II: Removing user access on a virtual machine.
1. Select the Subscription, then click on Access control (IAM).
2. Select Role assignments and search for Virtual Machine Administrator Login or Virtual Machine User Login or any role that provides access to log into virtual machines.
3. Click on Role Name, Select Assignments, and remove identities with no MFA configured.
Case III: Reducing access to managed identities attached to virtual machines.
1. Select the Subscription, then click on Access control (IAM).
2. Select Role Assignments from the top menu and apply filters on Assignment type as Privileged administrator roles and Type as Virtual Machines.
3. Click on Role Name, Select Assignments, and remove identities' access. Make sure this follows the least privileges principle.

Multiple Remediation Paths

Azure

SERVICE-WIDE (RECOMMENDED when many resources are affected): Assign Azure Policy initiatives at management group/subscription scope and trigger remediation tasks.

az policy assignment create --name <assignment-name> --scope /subscriptions/<subscription-id> --policy-set-definition <initiative-id>
az policy remediation create --name <remediation-name> --policy-assignment <assignment-id>

ASSET-LEVEL: Apply the resource-specific remediation steps above to the listed non-compliant resources.

PREVENTIVE: Embed Azure Policy checks into landing zones and IaC workflows to block or auto-remediate drift.

References for Service-Wide Patterns

Azure Policy overview: https://learn.microsoft.com/en-us/azure/governance/policy/overview
Azure Policy remediation: https://learn.microsoft.com/en-us/azure/governance/policy/how-to/remediate-resources
Azure Policy initiative structure: https://learn.microsoft.com/en-us/azure/governance/policy/concepts/initiative-definition-structure

Operational Rollout Workflow

Use this sequence to reduce risk and avoid repeated drift.

1. Contain at Service-Wide Scope First (Recommended)

Azure: assign policy initiatives at management group/subscription scope and run remediation tasks.

az policy assignment create --name <assignment-name> --scope /subscriptions/<subscription-id> --policy-set-definition <initiative-id>
az policy remediation create --name <remediation-name> --policy-assignment <assignment-id>

2. Remediate Existing Affected Assets

Execute the control-specific Console/CLI steps documented above for each flagged resource.
Prioritize internet-exposed and production assets first.

3. Validate and Prevent Recurrence

Re-scan after each remediation batch.
Track exceptions with owner and expiry date.
Add preventive checks in IaC/CI pipelines.

Query logic

These are the stored checks tied to this control.

Azure Privileged VMs accessible by users without MFA

Connectors

Microsoft Azure

Covered asset types

Expected check: eq []

{
  PrivilegedVMsAccessibleByUsersWithoutMFA {
    ...AssetFragment
  }
}