Disable Remembering Multi-Factor Authentication

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features

Knowledge Base Microsoft Azure Active Directory Disable Remembering Multi-Factor Authentication

Risk level: High (should be achieved)

Rule ID: ActiveDirectory-004

Ensure that "Allow users to remember multi-factor authentication on devices they trust" feature is disabled within your Microsoft Azure account in order to make sure that your users are not allowed to bypass MFA. Multi-Factor Authentication is an efﬁcient method of verifying your Azure user identity by requiring an authentication code generated by a virtual or hardware device in addition to your usual access credentials.

This rule resolution is part of the Cloud Conformity Security & Compliance tool for Azure

Security

Remembering Multi-Factor Authentication (MFA) for devices and browsers allows Microsoft Azure users to have the option to bypass MFA for a certain number of days after performing a successful sign-in using an MFA passcode. Remembering MFA can enhance usability by minimizing the number of times a user may need to perform two-step verification on the same device, however, if an account or device is compromised, remembering Multi-Factor Authentication for trusted devices and browsers can lead to security breaches. When "Allow users to remember multi-factor authentication on devices they trust" feature is disabled, for every login attempt, the users will be required to perform Multi-Factor Authentication.

Audit

To determine "Allow users to remember multi-factor authentication on devices they trust" feature status, perform the following actions:

Note: Retrieving configuration status for "Allow users to remember multi-factor authentication on devices they trust" feature using Microsoft Graph API or Azure CLI is not currently supported.

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Active Directory (AD) blade at https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview.

03 In the navigation panel, select Users.

04 Click on the Multi-Factor Authentication button from the AD blade top menu.

05 On the Multi-Factor Authentication management page, click service settings to access the MFA configuration settings.

06 On the service settings page, under remember multi-factor authentication, check the Allow users to remember multi-factor authentication on devices they trust configuration setting. If Allow users to remember multi-factor authentication on devices they trust feature is enabled, i.e. the checkbox is selected, the AD users can bypass Multi-Factor Authentication (MFA) after a successful sign-in, therefore the MFA configuration is not compliant.

Remediation / Resolution

To disable remembering Multi-Factor Authentication (MFA) for your Azure Active Directory (AD) users and deny trusted devices and browsers to bypass the two-step verification, perform the following actions:

Note: Managing configuration settings for "Allow users to remember multi-factor authentication on devices they trust" feature using Microsoft Graph API or Azure CLI is not currently supported.

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Active Directory (AD) blade at https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview.

03 In the navigation panel, select Users.

04 Click on the Multi-Factor Authentication button from the AD service blade top menu.

05 On the Multi-Factor Authentication management page, click service settings to access the MFA configuration settings.

06 On the service settings page, under remember multi-factor authentication, uncheck Allow users to remember multi-factor authentication on devices they trust checkbox to disable remembering Multi-Factor Authentication (MFA) after a successful sign-in. Disabling this feature means that all users will be required to sign in using MFA on each login attempt, even if the request is performed from a previously-remembered device or browser. Click Save to apply the configuration changes and Close to return to the Multi-Factor Authentication service settings page.