Microsoft Entra IDOverview
Designated users will be prompted to use their multi-factor authentication (MFA) process upon login.
Rationale
Enabling multi-factor authentication is a recommended setting to limit the potential for accounts to be compromised and to limit access to authenticated personnel.
Impact
Conditional Access policies require Microsoft Entra ID P1 or P2, which increases the cost. Similarly, if users lose access to their MFA, this may require additional overhead to maintain.
Default Value
MFA is not enabled by default.
Remediation guidance
From Azure Portal
- Open Conditional Access | Policies.
- Click
+ New policy. - Enter a name for the policy.
- Select
Users. - Under
Include, selectAll users. - Under
Exclude, checkUsers and groups. - Select users this policy should not apply to and click
Select. - Under
Target resources, selectCloud apps. - Select
All cloud apps. - Select
Grant. - Under
Grant access, checkRequire multifactor authenticationand clickSelect. - Set
Enable policytoReport-only. - Click
Create.
After testing the policy in report-only mode, update the Enable policy setting from Report-only to On.
Multiple Remediation Paths
SERVICE-WIDE (RECOMMENDED when many resources are affected): Apply organization/tenant-level guardrails and baseline policies for the entire platform.
ASSET-LEVEL: Fix only the affected resources identified by this control.
PREVENTIVE: Add preventive policy checks to CI/CD and periodic posture scans.
References for Service-Wide Patterns
- Platform policy/governance and preventive control patterns should be applied tenant-wide where supported.
Query logic
These are the stored checks tied to this control.
Entra Conditional Access Policies - MFA For All Users
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: {
conditionalAccessPolicies_NONE: {
conditions: {
includeUsers: ["All"]
NOT: { excludeUsers: [] }
includeApplications: ["All"]
clientAppTypes: ["all"]
}
grantControls: { builtInControls: ["mfa"] }
}
}
) {
...AssetFragment
}
}
