Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Multi-factor Authentication On Devices

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: ActiveDirectory-004

Ensure that "Allow users to remember multi-factor authentication on devices they trust" feature is disabled within your Microsoft Azure account in order to make sure that your users are not allowed to bypass MFA. Multi-Factor Authentication is an efficient method of verifying your Azure user identity by requiring an authentication code generated by a virtual or hardware device in addition to your usual access credentials.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

Remembering Multi-Factor Authentication (MFA) for devices and browsers allows Microsoft Azure users to have the option to bypass MFA for a certain number of days after performing a successful sign-in using an MFA passcode. Remembering MFA can enhance usability by minimizing the number of times a user may need to perform two-step verification on the same device, however, if an account or device is compromised, remembering Multi-Factor Authentication for trusted devices and browsers can lead to security breaches. When "Allow users to remember multi-factor authentication on devices they trust" feature is disabled, for every login attempt, the users will be required to perform Multi-Factor Authentication.

Audit

To determine "Allow users to remember multi-factor authentication on devices they trust" feature status, perform the following actions:

Note: Retrieving configuration status for "Allow users to remember multi-factor authentication on devices they trust" feature using Microsoft Graph API or Azure CLI is not currently supported.

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Microsoft Entra ID blade at https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview.

03 In the navigation panel, select Users.

04 Click on the Multi-Factor Authentication button from the Microsoft Entra ID blade top menu.

05 On the Multi-Factor Authentication management page, click service settings to access the MFA configuration settings.

06 On the service settings page, under remember multi-factor authentication, check the Allow users to remember multi-factor authentication on devices they trust configuration setting. If Allow users to remember multi-factor authentication on devices they trust feature is enabled, i.e. the checkbox is selected, the Microsoft Entra ID users can bypass Multi-Factor Authentication (MFA) after a successful sign-in, therefore the MFA configuration is not compliant.

Remediation / Resolution

To disable remembering Multi-Factor Authentication (MFA) for your Microsoft Entra ID users and deny trusted devices and browsers to bypass the two-step verification, perform the following actions:

Note: Managing configuration settings for "Allow users to remember multi-factor authentication on devices they trust" feature using Microsoft Graph API or Azure CLI is not currently supported.

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Microsoft Entra ID blade at https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview.

03 In the navigation panel, select Users.

04 Click on the Multi-Factor Authentication button from the Microsoft Entra ID service blade top menu.

05 On the Multi-Factor Authentication management page, click service settings to access the MFA configuration settings.

06 On the service settings page, under remember multi-factor authentication, uncheck Allow users to remember multi-factor authentication on devices they trust checkbox to disable remembering Multi-Factor Authentication (MFA) after a successful sign-in. Disabling this feature means that all users will be required to sign in using MFA on each login attempt, even if the request is performed from a previously-remembered device or browser. Click Save to apply the configuration changes and Close to return to the Multi-Factor Authentication service settings page.

References

Publication date Aug 30, 2019

Related ActiveDirectory rules

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Multi-factor Authentication On Devices

Risk Level: Medium