Control: 1.1.2 Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users
Description
Enable multi-factor authentication for all roles, groups, and users that have write access or permissions to Azure resources. These include custom created objects or built-in roles such as;
- Service Co-Administrators
- Subscription Owners
- Contributors
Multi-factor authentication requires an individual to present a minimum of two separate forms of authentication before access is granted. Multi-factor authentication provides additional assurance that the individual attempting to gain access is who they claim to be. With multi-factor authentication, an attacker would need to compromise at least two different authentication mechanisms, increasing the difficulty of compromise and thus reducing the risk.
Remediation
From Azure Portal
- From Azure Home select the Portal Menu
- Select
Azure Active Directoryblade - Then
Users - Select
All Users - Click on the
Per-User MFA buttonin the top row menu - Select each user individually with the role
Service Co-Administrators, Owners,ORContributorsin the columnMULTI-FACTOR AUTH STATUS - In the information box on the right side under the title
quick stepsclickenable
Other Options within Azure Portal
Follow Microsoft Azure documentation and enable multi-factor authentication in your environment. https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enableazure-mfa Enabling and configuring MFA with conditional access policy is a multi-step process. Here are some additional resources on the process within Azure AD to enable multifactor authentication for users within your subscriptions with conditional access policy.
- https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howtoconditional-access-policy-admin-mfa
- https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfagetstarted#enable-multi-factor-authentication-with-conditional-access
- https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfamfasettings
Please note that at the time of writing, there is no API, Azure CLI or Powershell mechanism available to programmatically conduct security assessment or remediation for this recommendation. The only option is MSOL.
Default Value
By default, multi-factor authentication is disabled for all users.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v150_1_1_2Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v150_1_1_2 --shareSQL
This control uses a named query:
ad_manual_control