π Microsoft Entra ID MFA For All Users is not required π’
- Contextual name: π MFA For All Users is not required π’
- ID:
/ce/ca/azure/microsoft-entra-id/mfa-for-all-users
- Located in: π Microsoft Entra ID
Flagsβ
- π’ Impossible policy
- π’ Policy with categories
- π’ Policy with type
Our Metadataβ
- Policy Type:
BEST_PRACTICE
- Policy Category:
SECURITY
Descriptionβ
Descriptionβ
A Conditional Access policy can be enabled to ensure that users are required to use Multifactor Authentication (MFA) to login.
Note: Since 2024, Azure has been rolling out mandatory multifactor authentication. For more information:
- https://azure.microsoft.com/en-us/blog/announcing-mandatory-multi-factor-authentication-for-azure-sign-in
- https://learn.microsoft.com/en-us/entra/identity/authentication/concept-mandatory-multifactor-authentication
Rationaleβ
Multifactor authentication is strongly recommended to increase the confidence that a claimed identity can be proven to be the subject of the identity. This results in a stronger authentication chain and reduced likelihood of exploitation.
Impactβ
There is an increased cost associated with Conditional Access policies because of the requirement of Microsoft Entra ID P1 or P2 licenses. Additional support overhead may also need to be considered.
Auditβ
From Azure Portalβ
- From Azure Home open the Portal Menu in the top left, and select
Microsoft Entra ID
.... see more
Remediationβ
Remediationβ
From Azure Portalβ
- From Azure Home open Portal menu in the top left, and select
Microsoft Entra ID
.- Select
Security
.- Select
Conditional Access
.- Select
Policies
.- Click
+ New policy
.- Enter a name for the policy.
- Click the blue text under
Users
.- Under
Include
, selectAll users
.- Under
Exclude
, checkUsers and groups
.- Select users this policy should not apply to and click
Select
.- Click the blue text under
Target resources
.- Select
All cloud apps
.- Click the blue text under
Grant
.- Under Grant access, check
Require multifactor authentication
and clickSelect
.- Set
Enable policy
toReport-only
.- Click
Create
.After testing the policy in report-only mode, update the
Enable policy
setting fromReport-only
toOn
.
policy.yamlβ
Linked Framework Sectionsβ
Section | Sub Sections | Internal Rules | Policies | Flags |
---|---|---|---|---|
πΌ CIS Azure v2.1.0 β πΌ 1.2.4 Ensure that A Multi-factor Authentication Policy Exists for All Users - Level 1 (Manual) | 1 | |||
πΌ CIS Azure v3.0.0 β πΌ 2.2.5 Ensure that A Multi-factor Authentication Policy Exists for All Users (Manual) | 1 | |||
πΌ CIS Azure v4.0.0 β πΌ 6.2.4 Ensure that a multifactor authentication policy exists for all users (Manual) | 1 | |||
πΌ Cloudaware Framework β πΌ Multi-Factor Authentication (MFA) Implementation | 16 |