🛡️ Microsoft Entra ID MFA For All Users is not required🟢⚪

• Contextual name: 🛡️ MFA For All Users is not required🟢⚪
• ID: /ce/ca/azure/microsoft-entra-id/mfa-for-all-users
• Tags:
  • ⚪ Impossible policy
  • 🟢 Policy with categories
  • 🟢 Policy with type
• Policy Type: BEST_PRACTICE
• Policy Categories: SECURITY

Description

Open File

Description

A Conditional Access policy can be enabled to ensure that users are required to use Multifactor Authentication (MFA) to login.

Note: Since 2024, Azure has been rolling out mandatory multifactor authentication. For more information:

• https://azure.microsoft.com/en-us/blog/announcing-mandatory-multi-factor-authentication-for-azure-sign-in
• https://learn.microsoft.com/en-us/entra/identity/authentication/concept-mandatory-multifactor-authentication

Rationale

Multifactor authentication is strongly recommended to increase the confidence that a claimed identity can be proven to be the subject of the identity. This results in a stronger authentication chain and reduced likelihood of exploitation.

Impact

There is an increased cost associated with Conditional Access policies because of the requirement of Microsoft Entra ID P1 or P2 licenses. Additional support overhead may also need to be considered.

Audit

From Azure Portal

1. From Azure Home open the Portal Menu in the top left, and select Microsoft Entra ID.

... see more

Remediation

Open File

Remediation

From Azure Portal

1. From Azure Home open Portal menu in the top left, and select Microsoft Entra ID.
2. Select Security.
3. Select Conditional Access.
4. Select Policies.
5. Click + New policy.
6. Enter a name for the policy.
7. Click the blue text under Users.
8. Under Include, select All users.
9. Under Exclude, check Users and groups.
10. Select users this policy should not apply to and click Select.
11. Click the blue text under Target resources.
12. Select All cloud apps.
13. Click the blue text under Grant.
14. Under Grant access, check Require multifactor authentication and click Select.
15. Set Enable policy to Report-only.
16. Click Create.

After testing the policy in report-only mode, update the Enable policy setting from Report-only to On.

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 CIS Azure v2.1.0 → 💼 1.2.4 Ensure that A Multi-factor Authentication Policy Exists for All Users - Level 1 (Manual)			1		no data
💼 CIS Azure v3.0.0 → 💼 2.2.5 Ensure that A Multi-factor Authentication Policy Exists for All Users (Manual)			1		no data
💼 CIS Azure v4.0.0 → 💼 6.2.4 Ensure that a multifactor authentication policy exists for all users (Manual)			1		no data
💼 Cloudaware Framework → 💼 Multi-Factor Authentication (MFA) Implementation			16		no data