Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in Trend Vision One™ Cloud Risk Management. For details, please refer to Upgrade to Trend Vision One
Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Enable Multi-Factor Authentication for Non-Privileged Users

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: ActiveDirectory-002

Ensure that Multi-Factor Authentication (MFA) is enabled for non-privileged users such as developers, service readers or operators, in order to help safeguard the access to Microsoft Azure cloud data and applications. MFA reduces organizational risk and helps achieving regulatory compliance by providing an additional layer of security on top of the existing user credentials, using a second form of authentication to secure employee, customer and partner access. By default, Multi-Factor Authentication is disabled for all Microsoft Azure users.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

MFA represents a simple and efficient method of validating your Azure cloud user identity by requiring an authentication code generated by a virtual or hardware device, in addition to your usual access credentials, i.e. user name and password. With Azure Multi-Factor Authentication enabled, if an attacker manages to discover the user's password, the authentication information exposed is useless without having also access to the additional authentication method (in this case the MFA device).

Audit

To determine if MFA is enabled for non-privileged Azure users, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Microsoft Entra ID blade at https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview.

03 In the navigation panel, select Users.

04 Click on the Multi-Factor Authentication button available in the blade top menu.

05 From View dropdown list, select Sign-in allowed users to list all Azure users that are allowed to sign-in to the Management Console.

06 Choose the non-privileged user that you want to examine and check the MFA feature status available in the MULTI-FACTOR AUTH STATUS column. If the status is set to Disabled, Multi-Factor Authentication is not enabled, therefore the authentication process for the selected non-privileged Microsoft Azure user is not MFA-protected.

07 Repeat steps no. 6 for each user that you want to examine, available in your Azure account.

Using Azure CLI

01 Run ad user list command (Windows/macOS/Linux) with custom query filters to list all Microsoft Entra ID users available within your account: 

az ad user list \
	--query '[].{userPrincipalName:userPrincipalName}' \
	--output table

02 The command output should return all your Microsoft Entra ID user names: 

UserPrincipalName
------------------------------------------------
datadeveloper@cloudconformity.onmicrosoft.com
securitymanager@cloudconformity.onmicrosoft.com
identityoperator@cloudconformity.onmicrosoft.com

03 Run role assignment list command (Windows/macOS/Linux) using query filters to return the name of the access control role(s) assigned to the Microsoft Entra ID user that you want to examine: 

az role assignment list \
	--all \
	--assignee datadeveloper@cloudconformity.onmicrosoft.com \
	--query '[].{roleDefinitionName:roleDefinitionName}'

04 The command output should return an array that contains the name of the role assigned to the specified Microsoft Entra ID user. The role name indicates if the specified user is privileged or not. All user roles except Owner, *Contributor or *Administratorare considered non-privileged: 

[
	{
		"roleDefinitionName": "Data Lake Analytics Developer"
	}
]

If the roleDefinitionName attribute value is set something different than Owner, *Contributor or *Administrator, such as *Developer – as shown in the output example above, the selected user does not have privileged access, therefore the Audit process continues with the next step. Otherwise, the user has privileged access and the rule audit ends here.

05 Run az ad user show command to get the user's object ID: 

az ad user show \
	--id datadeveloper@cloudconformity.onmicrosoft.com \
	--query id -o tsv

06 The command output returns the user's object ID: 

abcd1234-5678-90ab-cdef-1234567890ab

07 Run az rest command to check the per-user MFA state using the Microsoft Graph API: 

az rest --method GET \
	--uri 'https://graph.microsoft.com/beta/users/abcd1234-5678-90ab-cdef-1234567890ab/authentication/requirements' \
	--query perUserMfaState

Note: Checking per-user MFA state requires elevated administrative privileges. Your account must have one of the following roles: Global Administrator, Privileged Authentication Administrator, or Security Administrator.

08 The command output returns the per-user MFA state: 

"disabled"

If the output is "disabled" or null, Multi-Factor Authentication is not enabled for the non-privileged user. If the output is "enabled" or "enforced", MFA is configured for the user.

09 Repeat steps no. 3 – 8 for each Microsoft Entra ID user that you want to examine.

Remediation / Resolution

To enable Multi-Factor Authentication (MFA) for your non-privileged Azure users, perform the following actions:

Note 1: By default, MFA is disabled for all Microsoft Azure users, therefore their MFA state is set to Disabled. Once you enable MFA for your Azure users, their state changes to Enabled. When enabled users sign in and complete the MFA registration process, their state changes to Enforced.
Note 2: As example, this conformity rule utilizes Microsoft Authenticator as MFA virtual device.

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Microsoft Entra ID blade at https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview.

03 In the navigation panel, select Users.

04 Click on the Multi-Factor Authentication button available in the blade top menu.

05 On the Multi-Factor Authentication management page, click service settings to access the MFA configuration settings.

06 On the service settings page, under verification options, select the method(s) that you want to use for Multi-Factor Authentication feature from Methods available to users section.

07 Click Save to apply the changes, then click Close to return to the settings page.

08 Click users and select Sign-in allowed users to list all users that are allowed to sign-in to the Azure Management Console.

09 Select the user that you want to enroll in MFA (see Audit section part I to identify the right Microsoft Entra ID user), then click Enable under quick steps, in the right menu.

10 Inside the confirmation box, click enable multi-factor auth to enable Multi-Factor Authentication for the selected Azure user. Click Close to return to the console.

11 Install Microsoft Authenticator application, then sign in to your Microsoft Azure account with the user configured for MFA earlier in the process. Once signed in, you will be redirected to the Additional security verification page and asked to complete the MFA registration process.

12 On the verification page, under Step 1: How should we contact you, select Mobile app and Use verification code option to specify how do you want to use the authenticator app. Click Set up to start the registration process.

13 Open the mobile application, choose Add account add and select Work or school account option.

14 Inside Configure mobile app box, scan the generated QR code image using the Microsoft Authenticator app. Once the application displays a six-digit code, click Next to continue the process.

15 Back on the Additional security verification page, click Next. Under Step 2: Enter the verification code from the mobile app, enter the verification code displayed on your Microsoft Authenticator app and click Verify.

16 For Step 3: In case you lose access to the mobile app, provide a phone number that will be used for verification in case you don’t have access to the MFA device anymore, then choose Next. Click Done to finish the MFA registration process. The MFA state for the user should be automatically switched to the Enforced once the registration process is complete.

17 Repeat steps no. 9 – 16 for each non-privileged user that you want to configure for MFA protection, available in your Azure account.

Using Azure CLI

01 Get the object ID for the non-privileged user you want to enable MFA for: 

az ad user show \
	--id datadeveloper@cloudconformity.onmicrosoft.com \
	--query id -o tsv

02 The command output returns the user's object ID (replace <user-object-id> in the next steps with this value): 

abcd1234-5678-90ab-cdef-1234567890ab

03 Run az rest command to enable per-user MFA using the Microsoft Graph API: 

az rest --method PATCH \
	--uri 'https://graph.microsoft.com/beta/users/<user-object-id>/authentication/requirements' \
	--body '{"perUserMfaState":"enabled"}'

Note: Enabling per-user MFA requires elevated administrative privileges. Your account must have one of the following roles: Global Administrator, Privileged Authentication Administrator, or Security Administrator.

04 Verify that MFA is enabled by checking the MFA state: 

az rest --method GET \
	--uri 'https://graph.microsoft.com/beta/users/<user-object-id>/authentication/requirements' \
	--query perUserMfaState

05 The command output should return: 

"enabled"

06 Now that Multi-Factor Authentication is enabled for the selected Azure user, you have to start the MFA registration process. Install Microsoft Authenticator application and sign in to your Microsoft Azure account with the user configured for MFA. Once signed in, you will be redirected to the Additional security verification page and asked to complete the registration process.

07 On the verification page, under Step 1: How should we contact you, select Mobile app and Use verification code option to specify how do you want to use the authenticator application. Click Set up to initiate the registration process. Open the mobile app, choose Add account and select Work or school account. Inside Configure mobile app box, scan the generated QR code using the Microsoft Authenticator app. Once the application displays a six-digit code, click Next to continue.

08 Back on the Additional security verification page, click Next. Under Step 2: Enter the verification code from the mobile app, enter the verification code displayed on your Microsoft Authenticator app and click Verify. For Step 3: In case you lose access to the mobile app, provide a phone number that will be used for verification in case you don't have access to the MFA device anymore, then choose Next. Click Done to finish the MFA registration process. The user MFA status should be automatically switched to Enforced once the registration process is complete.

09 Repeat steps no. 1 – 8 for each non-privileged Microsoft Azure user that you want to reconfigure in order to enable Multi-Factor Authentication.

References

Publication date Aug 30, 2019

Related ActiveDirectory rules