Microsoft Entra IDOverview
Joining or registering devices to the Microsoft Entra ID should require Multi-factor authentication.
Rationale
Multi-factor authentication is recommended when adding devices to Microsoft Entra ID. When set to Yes, users who are adding devices from the internet must first use the second authentication method before their device is successfully added to the directory. This ensures that rogue devices are not added to the domain using a compromised user account. Note: Some Microsoft documentation suggests using conditional access policies to join a domain from certain whitelisted networks or devices. Even with these in place, using Multi-Factor Authentication is still recommended, as it creates a process for review before joining the domain.
Impact
There is a slight impact of additional overhead, as Administrators will now have to approve every access to the domain.
Default Value
By default, Require Multi-Factor Authentication to register or join devices with Microsoft Entra is set to No.
Additional Information
If Conditional Access is available, this recommendation should be bypassed in favor of implementing Conditional Access that requires Multifactor Authentication to register or join devices with Microsoft Entra.
Remediation guidance
From Azure Portal
- Open Devices | Device settings
- Set
Require Multi-Factor Authentication to register or join devices with Microsoft EntratoYes.
Service-wide remediation
Recommended when many resources are affected: fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.
Microsoft Entra ID
Use tenant-wide Conditional Access, role settings, authentication policies, and identity governance baselines so the control is enforced centrally.
Operational rollout
- Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
- Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
- Re-scan and track approved exceptions with an owner and expiry date.
Query logic
These are the stored checks tied to this control.
Entra tenants allowing device registration/join without MFA
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: {
deviceRegistrationPolicy: {
NOT: { multiFactorAuthConfiguration: "required" }
}
}
) {
...AssetFragment
}
}
