turbot/microsoft365_compliance

Control: 5.2.2.1 Ensure multifactor authentication is enabled for all users in administrative roles

Description

Multi-factor authentication is a process that requires an additional form of identification during the sign-in process, such as a code from a mobile device or a fingerprint scan, to enhance security.

Ensure users in administrator roles have MFA capabilities enabled.

Multifactor authentication requires an individual to present a minimum of two separate forms of authentication before access is granted. Multifactor authentication provides additional assurance that the individual attempting to gain access is who they claim to be. With multifactor authentication, an attacker would need to compromise at least two different authentication mechanisms, increasing the difficulty of compromise and thus reducing the risk.

Remediation

To enable multifactor authentication for administrators:

  1. Navigate to the Microsoft Entra admin center https://entra.microsoft.com.
  2. Click expand Protection > Conditional Access select Policies.
  3. Click New policy.
  4. Go to Assignments > Users and groups > Include > Select users and groups > check Directory roles.
  5. At a minimum, select the Directory roles listed below in this section of the document.
  6. Go to Cloud apps or actions > Cloud apps > Include > select All cloud apps (and don't exclude any apps).
  7. Under Access controls > Grant > select Grant access > check Require multi-factor authentication (and nothing else).
  8. Leave all other conditions blank.
  9. Make sure the policy is enabled.
  10. Create.

At minimum these directory roles should be included for MFA:

  • Application administrator
  • Authentication administrator
  • Billing administrator
  • Cloud application administrator
  • Conditional Access administrator
  • Exchange administrator
  • Global administrator
  • Global reader
  • Helpdesk administrator
  • Password administrator
  • Privileged authentication administrator
  • Privileged role administrator
  • Security administrator
  • SharePoint administrator
  • User administrator

Usage

Run the control in your terminal:

powerpipe control run microsoft365_compliance.control.cis_v300_5_2_2_1

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run microsoft365_compliance.control.cis_v300_5_2_2_1 --share

SQL

This control uses a named query:

azuread_admin_user_mfa_enabled

Tags