π Microsoft Entra ID MFA For Windows Azure Service Management API is not required π’
- Contextual name: π MFA For Windows Azure Service Management API is not required π’
- ID:
/ce/ca/azure/microsoft-entra-id/mfa-for-windows-azure-service-management-api
- Located in: π Microsoft Entra ID
Flagsβ
- π’ Impossible policy
- π’ Policy with categories
- π’ Policy with type
Our Metadataβ
- Policy Type:
COMPLIANCE_POLICY
- Policy Category:
SECURITY
Descriptionβ
Descriptionβ
This recommendation ensures that users accessing the Windows Azure Service Management API (i.e. Azure Powershell, Azure CLI, Azure Resource Manager API, etc.) are required to use multi-factor authentication (MFA) credentials when accessing resources through the Windows Azure Service Management API.
Rationaleβ
Administrative access to the Windows Azure Service Management API should be secured with a higher level of scrutiny to authenticating mechanisms. Enabling multi-factor authentication is recommended to reduce the potential for abuse of Administrative actions, and to prevent intruders or compromised admin credentials from changing administrative settings.
IMPORTANT: While this recommendation allows exceptions to specific Users or Groups, they should be very carefully tracked and reviewed for necessity on a regular interval through an Access Review process. It is important that this rule be built to include "All Users" to ensure that all users not specifically excepted will be required to use MFA to access the Azure Service Management API.
... see more
Remediationβ
Remediationβ
From Azure Portalβ
- From the Azure Admin Portal dashboard, open
Microsoft Entra ID
.- Click
Security
in the Entra ID blade.- Click
Conditional Access
in the Security blade.- Click
Policies
in the Conditional Access blade.- Click
+ New policy
.- Enter a name for the policy.
- Click the blue text under
Users
.- Under
Include
, selectAll users
.- Under
Exclude
, checkUsers and groups
.- Select users or groups to be exempted from this policy (e.g. break-glass emergency accounts, and non-interactive service accounts) then click the
Select
button.- Click the blue text under
Target Resources
.- Under Include, click the
Select apps
radio button.- Click the blue text under
Select
.- Check the box next to
Windows Azure Service Management APIs
then click theSelect
button.- Click the blue text under
Grant
.- Under
Grant access
check the box forRequire multifactor authentication
then click theSelect
button.- Before creating, set
Enable policy
toReport-only
.... see more
policy.yamlβ
Linked Framework Sectionsβ
Section | Sub Sections | Internal Rules | Policies | Flags |
---|---|---|---|---|
πΌ CIS Azure v2.1.0 β πΌ 1.2.6 Ensure Multifactor Authentication is Required for Windows Azure Service Management API - Level 1 (Manual) | 1 | |||
πΌ CIS Azure v3.0.0 β πΌ 2.2.7 Ensure Multi-factor Authentication is Required for Windows Azure Service Management API (Manual) | 1 | |||
πΌ Cloudaware Framework β πΌ Multi-Factor Authentication (MFA) Implementation | 16 |