Microsoft Entra IDOverview
If your organization pays for Microsoft Entra ID licensing (included in Microsoft 365 E3, E5, or F5, and EM&S E3 or E5 licenses) and can use Conditional Access, ignore the recommendations in this section and proceed to the Conditional Access section.
Enable multi-factor authentication for all roles, groups, and users with write access or permissions to Azure resources. These include custom-created objects or built-in roles such as:
- Service Co-Administrators
- Subscription Owners
- Contributors
Rationale
Multi-factor authentication requires an individual to present at least two separate forms of authentication before access is granted. Multi-factor authentication provides additional assurance that the individual attempting to gain access is who they claim to be. With multi-factor authentication, an attacker would need to compromise at least two different authentication mechanisms, increasing the difficulty of compromise and thus reducing the risk.
Impact
Users would require two forms of authentication before access is granted. Enabling multi-factor authentication will require additional administrative time to manage dual forms of authentication.
Default Value
By default, multi-factor authentication is disabled for all users.
References
- https://learn.microsoft.com/en-us/azure/multi-factor-authentication/multi-factorauthentication
- https://stackoverflow.com/questions/41156206/azure-active-directory-premiummfa-attributes-via-graph-api
- https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-identitymanagement#im-4-authenticate-server-and-services
Remediation guidance
Azure Portal
- Open Users
- Click on the
Per-User MFAbutton in the top row menu - Check the box next to each user reported by Cyscale
- Click
Enable MFA - Click
Enable
Other Options within the Azure Portal
Follow Microsoft Azure documentation and enable multi-factor authentication in your environment.
Enabling and configuring MFA with a conditional access policy is a multi-step process. Here are some additional resources on the process within Entra ID to enable multifactor authentication for users within your subscriptions with a conditional access policy.
- https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howtoconditional-access-policy-admin-mfa
- https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfagetstarted#enable-multi-factor-authentication-with-conditional-access
- https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfamfasettings
Service-wide remediation
Recommended when many resources are affected: fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.
Microsoft Entra ID
Use tenant-wide Conditional Access, role settings, authentication policies, and identity governance baselines so the control is enforced centrally.
Operational rollout
- Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
- Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
- Re-scan and track approved exceptions with an owner and expiry date.
Query logic
These are the stored checks tied to this control.
Entra users with privileged Azure assignmnets
Connectors
Covered asset types
Expected check: eq []
{
users(
where: {
mfaActive: false
OR: [
{
iamRoleAssignments_SOME: {
OR: [
{ internalName_IN: ["Owner", "Contributor"] }
{ isClassicAdministratorAssignment: true }
]
}
}
{
groups_SOME: {
iamRoleAssignments_SOME: {
OR: [
{ internalName_IN: ["Owner", "Contributor"] }
{ isClassicAdministratorAssignment: true }
]
}
}
}
]
}
) {
...AssetFragment
}
}
