Microsoft Entra IDOverview
This recommendation ensures that users accessing the Windows Azure Service Management API (i.e., Azure Powershell, Azure CLI, Azure Resource Manager API, etc.) must use multifactor authentication (MFA) credentials when accessing resources through the Windows Azure Service Management API.
Rationale
Administrative access to the Windows Azure Service Management API should be secured with a higher level of scrutiny to authenticating mechanisms. Enabling multifactor authentication is recommended to reduce the potential for abuse of Administrative actions and to prevent intruders or compromised admin credentials from changing administrative settings.
IMPORTANT: While this recommendation allows exceptions to specific Users or Groups, they should be very carefully tracked and reviewed for necessity on a regular interval through an Access Review process. This rule must be built to include "All Users" to ensure that all users not specifically excepted will be required to use MFA to access the Azure Service Management API.
Impact
Conditional Access policies require Microsoft Entra ID P1 or P2 licenses. Similarly, they may require additional maintenance overhead if users lose access to their MFA. Any users or groups that are granted an exception to this policy should be carefully tracked and be granted only minimal necessary privileges, and conditional access exceptions should be regularly reviewed or investigated.
Default Value
MFA is not enabled by default for administrative actions.
Remediation guidance
From Azure Portal
- Open Conditional Access | Policies.
- Click
+ New policy. - Enter a name for the policy.
- Click the blue text under
Users. - Under
Include, selectAll users. - Under
Exclude, checkUsers and groups. - Select users or groups to be exempted from this policy (e.g., break-glass emergency accounts and non-interactive service accounts), then click the
Selectbutton. - Click the blue text under
Target Resources. - Under
Include, click theSelect appsradio button. - Click the blue text under
Select. - Check the box next to
Windows Azure Service Management APIs, then click theSelectbutton. - Click the blue text under
Grant. - Under
Grant access,check the box forRequire multifactor authentication, then click theSelectbutton. - Before creating, set
Enable policytoReport-only. - Click
Create.
After testing the policy in report-only mode, update the Enable policy setting from Report-only to On.
Service-wide remediation
Recommended when many resources are affected: fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.
Microsoft Entra ID
Use tenant-wide Conditional Access, role settings, authentication policies, and identity governance baselines so the control is enforced centrally.
Operational rollout
- Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
- Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
- Re-scan and track approved exceptions with an owner and expiry date.
Query logic
These are the stored checks tied to this control.
Entra Conditional Access - MFA for Windows Azure Service Management API
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: {
conditionalAccessPolicies_NONE: {
conditions: {
includeUsers: ["All"]
NOT: { OR: { excludeUsers: [], excludeGroups: [], excludeRoles: [] } }
includeApplications: ["797f4846-ba00-4fd7-ba43-dac1f8f63013"]
clientAppTypes: ["all"]
}
grantControls: { builtInControls: ["mfa"] }
}
}
) {
...AssetFragment
}
}
