Logo of Trend Micro

Disable Remembering Multi-Factor Authentication

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: High (should be achieved)
Rule ID: ActiveDirectory-004

Ensure that "Allow users to remember multi-factor authentication on devices they trust" feature is disabled within your Microsoft Azure account in order to make sure that your users are not allowed to bypass MFA. Multi-Factor Authentication is an efficient method of verifying your Azure user identity by requiring an authentication code generated by a virtual or hardware device in addition to your usual access credentials.

This rule resolution is part of the Cloud Conformity Security & Compliance tool for Azure

Security

Remembering Multi-Factor Authentication (MFA) for devices and browsers allows Microsoft Azure users to have the option to bypass MFA for a certain number of days after performing a successful sign-in using an MFA passcode. Remembering MFA can enhance usability by minimizing the number of times a user may need to perform two-step verification on the same device, however, if an account or device is compromised, remembering Multi-Factor Authentication for trusted devices and browsers can lead to security breaches. When "Allow users to remember multi-factor authentication on devices they trust" feature is disabled, for every login attempt, the users will be required to perform Multi-Factor Authentication.

Audit

To determine "Allow users to remember multi-factor authentication on devices they trust" feature status, perform the following actions:

Note: Retrieving configuration status for "Allow users to remember multi-factor authentication on devices they trust" feature using Microsoft Graph API or Azure CLI is not currently supported.

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Active Directory (AD) blade at https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview.

03 In the navigation panel, select Users.

04 Click on the Multi-Factor Authentication button from the AD blade top menu.

05 On the Multi-Factor Authentication management page, click service settings to access the MFA configuration settings.

06 On the service settings page, under remember multi-factor authentication, check the Allow users to remember multi-factor authentication on devices they trust configuration setting. If Allow users to remember multi-factor authentication on devices they trust feature is enabled, i.e. the checkbox is selected, the AD users can bypass Multi-Factor Authentication (MFA) after a successful sign-in, therefore the MFA configuration is not compliant.

Remediation / Resolution

To disable remembering Multi-Factor Authentication (MFA) for your Azure Active Directory (AD) users and deny trusted devices and browsers to bypass the two-step verification, perform the following actions:

Note: Managing configuration settings for "Allow users to remember multi-factor authentication on devices they trust" feature using Microsoft Graph API or Azure CLI is not currently supported.

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Active Directory (AD) blade at https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview.

03 In the navigation panel, select Users.

04 Click on the Multi-Factor Authentication button from the AD service blade top menu.

05 On the Multi-Factor Authentication management page, click service settings to access the MFA configuration settings.

06 On the service settings page, under remember multi-factor authentication, uncheck Allow users to remember multi-factor authentication on devices they trust checkbox to disable remembering Multi-Factor Authentication (MFA) after a successful sign-in. Disabling this feature means that all users will be required to sign in using MFA on each login attempt, even if the request is performed from a previously-remembered device or browser. Click Save to apply the configuration changes and Close to return to the Multi-Factor Authentication service settings page.

References

Publication date Aug 30, 2019

Related ActiveDirectory rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

Disable Remembering Multi-Factor Authentication

Risk level: High