Pipeline: 2.1.3 Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users
Description
[IMPORTANT - Please read the section overview: If your organization pays for Microsoft Entra ID licensing (included in Microsoft 365 E3, E5, or F5, and EM&S E3 or E5 licenses) and CAN use Conditional Access, ignore the recommendations in this section and proceed to the Conditional Access section.]
Enable multi-factor authentication for all non-privileged users.
Multi-factor authentication requires an individual to present a minimum of two separate forms of authentication before access is granted. Multi-factor authentication provides additional assurance that the individual attempting to gain access is who they claim to be. With multi-factor authentication, an attacker would need to compromise at least two different authentication mechanisms, increasing the difficulty of compromise and thus reducing the risk.
Remediation
From Azure Portal
- From Azure Home select the Portal Menu.
- Select
Microsoft Entra ID
blade. - Under
Manage
, clickUsers
. - Click on the
Per-User MFA
button in the top row menu. - Check the box next to each user.
- Click
Enable MFA
. - Click
Enable
.
Other Options within Azure Portal
Follow Microsoft Azure documentation and enable multi-factor authentication in your environment.
https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-azure-mfa
Enabling and configuring MFA is a multi-step process. Here are some additional resources on the process within Microsoft Entra ID:
https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-mfasettings
Default Value
By default, multi-factor authentication is disabled for all users.
Run the pipeline
To run this pipeline from your terminal:
flowpipe pipeline run azure_cis.pipeline.cis_v300_2_1_3
Use this pipeline
To call this pipeline from your pipeline, use a step:
step "pipeline" "step_name" { pipeline = azure_cis.pipeline.cis_v300_2_1_3 }
Params
Name | Type | Required | Description | Default |
---|---|---|---|---|
database | connection.steampipe | Yes | Database connection string. | connection.steampipe.default |
notifier | notifier | Yes | The name of the notifier to use for sending notification messages. | notifier.default |
notification_level | string | Yes | The verbosity level of notification messages to send. Valid options are 'verbose', 'info', 'error'. | info |
approvers | list(notifier) | Yes | List of notifiers to be used for obtaining action/approval decisions. | notifier.default |
Outputs
This pipeline has no outputs.