|   Trend Micro Cloud One™
Open menu

Require MFA to Join Devices

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Risk level: Medium (should be achieved)
Rule ID: ActiveDirectory-022

Multi-Factor Authentication should be mandatory when users are adding devices to the Azure Active Directory. This ensures that no rogue devices can be registered to your directory by compromised user accounts. When "Require Multi-Factor Auth to join devices" is set to "Yes", users who are adding devices from the Internet are forced to use the second method of authentication before their devices can be successfully added to your directory.

This rule resolution is part of the Cloud Conformity Security & Compliance tool for Azure

Security

To determine if Multi-Factor Authentication is required for device enrollment in your AD account, perform the following actions:

Note: Getting "Enable an All Users group in the directory" feature configuration status using Microsoft Graph API or Azure CLI is not currently supported.

Audit

To determine if non-administrator users have the ability to manage Office 365 groups in Azure portals, perform the following actions:

Note: Retrieving "Owners who can assign members as group owners in Azure portals" setting configuration status using Microsoft Graph API or Azure CLI is not currently supported.

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Active Directory (AD) blade at https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview.

03 In the navigation panel, select Devices.

04 In the Manage section, under All devices, select Device settings to access Active Directory device general settings.

05 On Device settings page, check the Require Multi-Factor Auth to join devices feature settings. If the feature configuration is set to No, Multi-Factor Authentication (MFA) is not required when adding devices to the current Azure Active Directory, therefore the configuration is not compliant.

06 Repeat steps no. 3 – 5 for each Microsoft Azure Active Directory that you want to examine.

Remediation / Resolution

By setting "Require Multi-Factor Auth to join devices" to "Yes", all Active Directory users that are adding devices to your directory are challenged to use a second method of authentication. To turn on the necessary feature, perform the following actions:

Note: Enabling "Require Multi-Factor Auth to join devices" feature using Microsoft Graph API or Azure CLI is not currently supported.

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Active Directory blade at https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview.

03 In the navigation panel, select Devices.

04 In the Manage section, under All devices, select Device settings to access Active Directory device general settings.

05 On the Device settings page, select Yes next to Require Multi-Factor Auth to join devices configuration setting to enable the feature.

06 Click Save to apply the changes. If successful, the following message should be displayed: "Successfully updated device settings". Once the configuration changes are saved, all users that are adding devices to your directory must use Multi-Factor Authentication (MFA).

07 Repeat steps no. 3 – 6 for each Active Directory (AD) that you want to reconfigure in order to enable MFA for requesting a second method of authentication when joining devices.

References

Publication date May 21, 2019

Unlock the Remediation Steps

Gain free unlimited access to our full Knowledge Base


Over 600 rules & best practices for and

Get started for FREE

A verification email will be sent to this address
We keep your information private. Learn more.

Thank you!

Please click the link in the confirmation email sent to

You are auditing:

Require MFA to Join Devices

Risk level: Medium