Skip to main content

πŸ“ Microsoft Entra ID MFA For All Users is not required 🟒

  • Contextual name: πŸ“ MFA For All Users is not required 🟒
  • ID: /ce/ca/azure/microsoft-entra-id/mfa-for-all-users
  • Located in: πŸ“ Microsoft Entra ID

Flags​

Our Metadata​

  • Policy Type: BEST_PRACTICE
  • Policy Category:
    • SECURITY

Description​

Open File

Description​

A Conditional Access policy can be enabled to ensure that users are required to use Multifactor Authentication (MFA) to login.

Note: Since 2024, Azure has been rolling out mandatory multifactor authentication. For more information:

Rationale​

Multifactor authentication is strongly recommended to increase the confidence that a claimed identity can be proven to be the subject of the identity. This results in a stronger authentication chain and reduced likelihood of exploitation.

Impact​

There is an increased cost associated with Conditional Access policies because of the requirement of Microsoft Entra ID P1 or P2 licenses. Additional support overhead may also need to be considered.

Audit​

From Azure Portal​
  1. From Azure Home open the Portal Menu in the top left, and select Microsoft Entra ID.

... see more

Remediation​

Open File

Remediation​

From Azure Portal​

  1. From Azure Home open Portal menu in the top left, and select Microsoft Entra ID.
  2. Select Security.
  3. Select Conditional Access.
  4. Select Policies.
  5. Click + New policy.
  6. Enter a name for the policy.
  7. Click the blue text under Users.
  8. Under Include, select All users.
  9. Under Exclude, check Users and groups.
  10. Select users this policy should not apply to and click Select.
  11. Click the blue text under Target resources.
  12. Select All cloud apps.
  13. Click the blue text under Grant.
  14. Under Grant access, check Require multifactor authentication and click Select.
  15. Set Enable policy to Report-only.
  16. Click Create.

After testing the policy in report-only mode, update the Enable policy setting from Report-only to On.

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό CIS Azure v2.1.0 β†’ πŸ’Ό 1.2.4 Ensure that A Multi-factor Authentication Policy Exists for All Users - Level 1 (Manual)1
πŸ’Ό CIS Azure v3.0.0 β†’ πŸ’Ό 2.2.5 Ensure that A Multi-factor Authentication Policy Exists for All Users (Manual)1
πŸ’Ό CIS Azure v4.0.0 β†’ πŸ’Ό 6.2.4 Ensure that a multifactor authentication policy exists for all users (Manual)1
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Multi-Factor Authentication (MFA) Implementation16