π Microsoft Entra ID Remember MFA devices setting is disabled π’
- Contextual name: π Remember MFA devices setting is disabled π’
- ID:
/ce/ca/azure/microsoft-entra-id/users-multi-factor-auth-on-devices - Located in: π Microsoft Entra ID
Flagsβ
- π’ Impossible policy
- π’ Policy with categories
- π’ Policy with type
Our Metadataβ
- Policy Type:
COMPLIANCE_POLICY - Policy Category:
SECURITY
Descriptionβ
Descriptionβ
[IMPORTANT - Please read the section overview: If your organization pays for Microsoft Entra ID licensing (included in Microsoft 365 E3, E5, F5, or Business Premium, and EM&S E3 or E5 licenses) and CAN use Conditional Access, ignore the recommendations in this section and proceed to the Conditional Access section.]
Do not allow users to remember multi-factor authentication on devices.
Rationaleβ
Remembering Multi-Factor Authentication (MFA) for devices and browsers allows users to have the option to bypass MFA for a set number of days after performing a successful sign-in using MFA. This can enhance usability by minimizing the number of times a user may need to perform two-step verification on the same device. However, if an account or device is compromised, remembering MFA for trusted devices may affect security. Hence, it is recommended that users not be allowed to bypass MFA.
Impactβ
For every login attempt, the user will be required to perform multi-factor authentication.
Auditβ
From Azure Portalβ
... see more
Remediationβ
Remediationβ
From Azure Portalβ
- From Azure Home select the Portal Menu
- Select
Microsoft Entra ID- Under
Manage, clickUsers- Click the
Per-user MFAbutton on the top bar- Click on
Service settings- Uncheck the box next to
Allow users to remember multi-factor authentication on devices they trust- Click
Save
policy.yamlβ
Linked Framework Sectionsβ
| Section | Sub Sections | Internal Rules | Policies | Flags |
|---|---|---|---|---|
| πΌ CIS Azure v4.0.0 β πΌ 6.1.3 Ensure that 'Allow users to remember multifactor authentication on devices they trust' is disabled (Manual) | 1 | |||
| πΌ Cloudaware Framework β πΌ General Access Controls | 11 |