Ensure that Multi-Factor Authentication is enabled for all user credentials that have write access to the cloud resources within your Microsoft Azure account. Multi-Factor Authentication (MFA) is a simple, yet efﬁcient method of verifying your Azure user identity by requiring an authentication code generated by a virtual or hardware device, also known as passcode, used in addition to your usual access credentials such as user name and password.
This rule resolution is part of the Cloud Conformity Security & Compliance tool for Azure
Having an MFA-protected Azure account represents an efficient way to safeguard your cloud resources against malicious users and attackers, as Multi-Factor Authentication adds extra security to the authentication process by requiring privileged users (contributors, subscription owners and service co-administrators) to present a minimum of two separate forms of authorization before their access is granted. With Multi-Factor Authentication (MFA) enabled, an attacker would need to compromise at least two different authentication mechanisms, increasing the difficulty of compromising access credentials and thus reducing the risk of attack significantly.
To determine if MFA is enabled for all Microsoft Azure privileged users, perform the following actions:
Remediation / Resolution
To enable Multi-Factor Authentication (MFA) for your Azure cloud privileged users, perform the following actions:Note 1: By default, MFA is disabled for all Microsoft Azure users, therefore their MFA state is set to Disabled. Once you enroll your users within MFA, their state changes to Enabled. When enabled users sign in and complete the MFA registration process, their state changes to Enforced.
Note 2: As an example, this conformity rule will use Microsoft Authenticator as MFA device as this is one of the most popular MFA virtual devices used by Azure cloud customers.
- Azure Official Documentation
- How it works: Azure Multi-Factor Authentication
- Planning a cloud-based Azure Multi-Factor Authentication deployment
- Reports in Azure Multi-Factor Authentication
- How to require two-step verification for a user
- CIS Microsoft Azure Foundations
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
You are auditing:
Enable Multi-Factor Authentication for Privileged Users
Risk level: Medium