Control: 1.2.5 Ensure Multi-factor Authentication is Required for Risky Sign-ins
Description
For designated users, they will be prompted to use their multi-factor authentication (MFA) process on login.
Enabling multi-factor authentication is a recommended setting to limit the potential of accounts being compromised and limiting access to authenticated personnel.
Remediation
From Azure Portal
- From Azure Home select the Portal Menu in the top left, and select
Microsoft Entra ID
. - Select
Security
- Select
Conditional Access
. - Click
+ New policy
. - Enter a name for the policy.
- Select
Users or workload identities
. - Under
Include
, selectAll users
. - Under
Exclude
, checkUsers and groups
. - Select users this policy should not apply to and click Select.
- Select
Cloud apps or actions
. - Select
All cloud apps
. - Select
Conditions
. - Select
Sign-in risk
. - Update the
Configure
toggle toYes
. - Check the sign-in risk level this policy should apply to, e.g.
High
andMedium
. - Select
Done
. - Click the blue text under
Grant access
and checkRequire multifactor authentication
then click theSelect
button. - Click the blue text under Session then check Sign-in frequency and select
Every time
and click theSelect
button. - Set
Enable policy
toReport-only
. - Click
Create
.
After testing the policy in report-only mode, update the Enable policy
setting from Report-only
to On
.
Default Value
MFA is not enabled by default.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v210_1_2_5
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v210_1_2_5 --share
SQL
This control uses a named query:
ad_manual_control