Ensure that Multi-Factor Authentication (MFA) is enabled for non-privileged users such as developers, service readers or operators, in order to help safeguard the access to Microsoft Azure cloud data and applications. MFA reduces organizational risk and helps achieving regulatory compliance by providing an additional layer of security on top of the existing user credentials, using a second form of authentication to secure employee, customer and partner access. By default, Multi-Factor Authentication is disabled for all Microsoft Azure users.
This rule resolution is part of the Cloud Conformity Security & Compliance tool for Azure
MFA represents a simple and efficient method of validating your Azure cloud user identity by requiring an authentication code generated by a virtual or hardware device, in addition to your usual access credentials, i.e. user name and password. With Azure Multi-Factor Authentication enabled, if an attacker manages to discover the user's password, the authentication information exposed is useless without having also access to the additional authentication method (in this case the MFA device).
Audit
To determine if MFA is enabled for non-privileged Azure users, perform the following actions:
Remediation / Resolution
To enable Multi-Factor Authentication (MFA) for your non-privileged Azure users, perform the following actions:
Note 1: By default, MFA is disabled for all Microsoft Azure users, therefore their MFA state is set to Disabled. Once you enable MFA for your Azure users, their state changes to Enabled. When enabled users sign in and complete the MFA registration process, their state changes to Enforced.Note 2: As example, this conformity rule utilizes Microsoft Authenticator as MFA virtual device.
References
- Azure Official Documentation
- How it works: Azure Multi-Factor Authentication
- Planning a cloud-based Azure Multi-Factor Authentication deployment
- Reports in Azure Multi-Factor Authentication
- How to require two-step verification for a user
- CIS Microsoft Azure Foundations
- Azure PowerShell Documentation
- Azure ActiveDirectory (MSOnline)
- MSOnline
- Get-MsolUser
- Set-MsolUser
- Azure Command Line Interface (CLI) Documentation
- az
- az ad user list
- az role assignment list
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
for and
Get started for FREE
You are auditing:
Enable Multi-Factor Authentication for Non-Privileged Users
Risk level: Medium