Ensure that Multi-Factor Authentication (MFA) is enabled for non-privileged users such as developers, service readers or operators, in order to help safeguard the access to Microsoft Azure cloud data and applications. MFA reduces organizational risk and helps achieving regulatory compliance by providing an additional layer of security on top of the existing user credentials, using a second form of authentication to secure employee, customer and partner access. By default, Multi-Factor Authentication is disabled for all Microsoft Azure users.
This rule resolution is part of the Conformity Security & Compliance tool for Azure.
MFA represents a simple and efficient method of validating your Azure cloud user identity by requiring an authentication code generated by a virtual or hardware device, in addition to your usual access credentials, i.e. user name and password. With Azure Multi-Factor Authentication enabled, if an attacker manages to discover the user's password, the authentication information exposed is useless without having also access to the additional authentication method (in this case the MFA device).
Audit
To determine if MFA is enabled for non-privileged Azure users, perform the following actions:
Remediation / Resolution
To enable Multi-Factor Authentication (MFA) for your non-privileged Azure users, perform the following actions:
Note 1: By default, MFA is disabled for all Microsoft Azure users, therefore their MFA state is set to Disabled. Once you enable MFA for your Azure users, their state changes to Enabled. When enabled users sign in and complete the MFA registration process, their state changes to Enforced.Note 2: As example, this conformity rule utilizes Microsoft Authenticator as MFA virtual device.
References
- Azure Official Documentation
- How it works: Microsoft Entra multifactor authentication
- Plan a Microsoft Entra multifactor authentication deployment
- Use the sign-ins report to review Microsoft Entra multifactor authentication events
- Enable per-user Microsoft Entra multifactor authentication to secure sign-in events
- CIS Microsoft Azure Foundations
- Azure PowerShell Documentation
- Microsoft Entra ID (MSOnline)
- MSOnline
- Get-MsolUser
- Set-MsolUser
- Azure Command Line Interface (CLI) Documentation
- az
- az ad user list
- az role assignment list
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Multi-factor Authentication For All Non-privileged Users
Risk Level: High