π Microsoft Entra ID MFA For All Users is not required π’
- Contextual name: π MFA For All Users is not required π’
- ID:
/ce/ca/azure/microsoft-entra-id/mfa-for-all-users - Located in: π Microsoft Entra ID
Flagsβ
- π’ Impossible policy
- π’ Policy with categories
- π’ Policy with type
Our Metadataβ
- Policy Type:
BEST_PRACTICE - Policy Category:
SECURITY
Descriptionβ
Descriptionβ
For designated users, they will be prompted to use their multi-factor authentication (MFA) process on logins.
Rationaleβ
Enabling multi-factor authentication is a recommended setting to limit the potential of accounts being compromised and limiting access to authenticated personnel.
Impactβ
There is an increased cost, as Conditional Access policies require Microsoft Entra ID P1 or P2. Similarly, this may require additional overhead to maintain if users lose access to their MFA.
NOTE: Starting July 2024, Microsoft will begin requiring MFA for All Users - including Break Glass Accounts. By the end of October 2024, this requirement will be enforced. Physical FIDO2 security keys, or a certificate kept on secure removable storage can fulfill this MFA requirement. If opting for a physical device, that device should be kept in a very secure, documented physical location.
Auditβ
From Azure Portalβ
- From Azure Home open the Portal Menu in the top left, and select
Microsoft Entra ID.- Scroll down in the menu on the left, and select
Security.... see more
Remediationβ
Remediationβ
From Azure Portalβ
- From Azure Home open Portal menu in the top left, and select
Microsoft Entra ID.- Select
Security.- Select
Conditional Access.- Select
Policies.- Click
+ New policy.- Enter a name for the policy.
- Click the blue text under
Users.- Under
Include, selectAll users.- Under
Exclude, checkUsers and groups.- Select users this policy should not apply to and click
Select.- Click the blue text under
Target resources.- Select
All cloud apps.- Click the blue text under
Grant.- Under Grant access, check
Require multifactor authenticationand clickSelect.- Set
Enable policytoReport-only.- Click
Create.After testing the policy in report-only mode, update the
Enable policysetting fromReport-onlytoOn.
policy.yamlβ
Linked Framework Sectionsβ
| Section | Sub Sections | Internal Rules | Policies | Flags |
|---|---|---|---|---|
| πΌ CIS Azure v2.1.0 β πΌ 1.2.4 Ensure that A Multi-factor Authentication Policy Exists for All Users - Level 1 (Manual) | 1 | |||
| πΌ CIS Azure v3.0.0 β πΌ 2.2.5 Ensure that A Multi-factor Authentication Policy Exists for All Users (Manual) | 1 | |||
| πΌ Cloudaware Framework β πΌ Multi-Factor Authentication (MFA) Implementation | 16 |