turbot/azure_compliance

Control: 1.2.7 Ensure Multifactor Authentication is Required to access Microsoft Admin Portals

Description

This recommendation ensures that users accessing the Microsoft Admin Portals (i.e. Microsoft 365 Admin, Microsoft 365 Defender, Exchange Admin Center, Azure Portal, etc.) are required to use multifactor authentication (MFA) credentials when logging into an Admin Portal.

Remediation

From Azure Portal

  1. From the Azure Admin Portal dashboard, open Microsoft Entra ID.
  2. Click Security in the Entra ID blade.
  3. Click Conditional Access in the Security blade.
  4. Click Policies in the Conditional Access blade.
  5. Click + New policy.
  6. Enter a name for the policy.
  7. Click the blue text under Users.
  8. Under Include, select All users.
  9. Under Exclude, check Users and groups.
  10. Select users or groups to be exempted from this policy (e.g. break-glass emergency accounts, and non-interactive service accounts) then click the Select button.
  11. Click the blue text under Target Resources.
  12. Under Include, click the Select apps radio button.
  13. Click the blue text under Select.
  14. Check the box next to Microsoft Admin Portals then click the Select button.
  15. Click the blue text under Grant.
  16. Under Grant access check the box for Require multifactor authentication then click the Select button.
  17. Before creating, set Enable policy to Report-only.
  18. Click Create.

After testing the policy in report-only mode, update the Enable policy setting from Report-only to On.

Default Value

MFA is not enabled by default for administrative actions.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.cis_v210_1_2_7

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.cis_v210_1_2_7 --share

SQL

This control uses a named query:

iam_conditional_access_mfa_enabled_for_administrators

Tags