🛡️ Microsoft Entra ID MFA to access Microsoft Admin Portals is not required🟢⚪

• Contextual name: 🛡️ MFA To Access Microsoft Admin Portals is not required🟢⚪
• ID: /ce/ca/azure/microsoft-entra-id/mfa-to-access-microsoft-admin-portals
• Tags:
  • ⚪ Impossible policy
  • 🟢 Policy with categories
  • 🟢 Policy with type
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Description

Open File

Description

This recommendation ensures that users accessing Microsoft Admin Portals (e.g., Microsoft 365 Admin, Microsoft 365 Defender, Exchange Admin Center, Azure portal) are required to use multi-factor authentication (MFA) when logging in to an admin portal.

Rationale

Administrative portals for Microsoft Azure should be secured with a higher level of scrutiny for authentication mechanisms. Enabling multi-factor authentication is recommended to reduce the potential for abuse of administrative actions and to prevent intruders or compromised admin credentials from changing administrative settings.

Important: While this recommendation allows exceptions to specific users or groups, they should be carefully tracked and reviewed for necessity on a regular interval through an access review process. It is important that this rule includes All Users to ensure that all users not specifically excepted are required to use MFA to access admin portals.

Impact

Conditional Access policies require Microsoft Entra ID P1 or P2 licenses. Similarly, they may require additional overhead to maintain if users lose access to their MFA. Any users or groups which are granted an exception to this policy should be carefully tracked, be granted only minimal necessary privileges, and conditional access exceptions should be reviewed or investigated.

... see more

Remediation

Open File

Remediation

From Azure Portal

1. From the Azure Admin Portal dashboard, open Microsoft Entra ID.
2. Click Security in the Entra ID blade.
3. Click Conditional Access in the Security blade.
4. Click Policies in the Conditional Access blade.
5. Click + New policy.
6. Enter a name for the policy.
7. Click the blue text under Users.
8. Under Include, select All users.
9. Under Exclude, check Users and groups.
10. Select users or groups to be exempted from this policy (e.g., break-glass emergency accounts and non-interactive service accounts), then click Select.
11. Click the blue text under Target Resources.
12. Under Include, click the Select apps radio button.
13. Click the blue text under Select.
14. Check the box next to Microsoft Admin Portals, then click Select.
15. Click the blue text under Grant.
16. Under Grant access, check the box for Require multifactor authentication, then click Select.
17. Before creating, set Enable policy to Report-only.
18. Click Create.

After testing the policy in report-only mode, update the Enable policy setting from Report-only to On.

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 CIS Azure v5.0.0 → 💼 5.2.7 Ensure that multifactor authentication is required to access Microsoft Admin Portals (Manual)			1		no data
💼 Cloudaware Framework → 💼 Multi-Factor Authentication (MFA) Implementation			18		no data