Microsoft Entra IDOverview
If your organization pays for Microsoft Entra ID licensing (included in Microsoft 365 E3, E5, or F5, and EM&S E3 or E5 licenses) and can use Conditional Access, ignore the recommendations in this section and proceed to the Conditional Access section.
Enable multi-factor authentication for all roles, groups, and users with write access or permissions to Azure resources. These include custom-created objects or built-in roles such as:
- Service Co-Administrators
- Subscription Owners
- Contributors
Rationale
Multi-factor authentication requires an individual to present at least two separate forms of authentication before access is granted. Multi-factor authentication provides additional assurance that the individual attempting to gain access is who they claim to be. With multi-factor authentication, an attacker would need to compromise at least two different authentication mechanisms, increasing the difficulty of compromise and thus reducing the risk.
Impact
Users would require two forms of authentication before access is granted. Enabling multi-factor authentication will require additional administrative time to manage dual forms of authentication.
Default Value
By default, multi-factor authentication is disabled for all users.
References
- https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factorauthentication
- https://stackoverflow.com/questions/41156206/azure-active-directory-premiummfa-attributes-via-graph-api
- https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-identitymanagement#im-4-authenticate-server-and-services
Remediation guidance
Azure Portal
- Open Users
- Click on the
Per-User MFAbutton in the top row menu - Check the box next to each user reported by Cyscale
- Click
Enable MFA - Click
Enable
Other Options within the Azure Portal
Follow Microsoft Azure documentation and enable multi-factor authentication in your environment.
Enabling and configuring MFA with a conditional access policy is a multi-step process. Here are some additional resources on the process within Entra ID to enable multifactor authentication for users within your subscriptions with a conditional access policy.
- https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howtoconditional-access-policy-admin-mfa
- https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfagetstarted#enable-multi-factor-authentication-with-conditional-access
- https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfamfasettings
Multiple Remediation Paths
SERVICE-WIDE (RECOMMENDED when many resources are affected): Apply organization/tenant-level guardrails and baseline policies for the entire platform.
ASSET-LEVEL: Fix only the affected resources identified by this control.
PREVENTIVE: Add preventive policy checks to CI/CD and periodic posture scans.
References for Service-Wide Patterns
- Platform policy/governance and preventive control patterns should be applied tenant-wide where supported.
Query logic
These are the stored checks tied to this control.
Entra users with privileged Azure assignmnets
Connectors
Covered asset types
Expected check: eq []
{
users(
where: {
mfaActive: false
OR: [
{
iamRoleAssignments_SOME: {
OR: [
{ internalName_IN: ["Owner", "Contributor"] }
{ isClassicAdministratorAssignment: true }
]
}
}
{
groups_SOME: {
iamRoleAssignments_SOME: {
OR: [
{ internalName_IN: ["Owner", "Contributor"] }
{ isClassicAdministratorAssignment: true }
]
}
}
}
]
}
) {
...AssetFragment
}
}
