rules/findings/EntraID/IAM/CIS3.0/entra-iam-privileged-users-disabled-mfa.json
|
{
"args": [ ], "provider": "EntraID", "serviceType": "Entra Identity Governance", "serviceName": "Microsoft Entra ID", "displayName": "Ensure that \u0027Multi-Factor Auth Status\u0027 is \u0027Enabled\u0027 for all Privileged Users", "description": "\r\n\t\t\t###### IMPORTANT - Please read the section overview\r\n\t\t\tIf your organization pays for Microsoft Entra ID licensing (included in Microsoft 365 E3, E5, or F5, and EM\u0026S E3 or E5 licenses) and CAN use Conditional Access, ignore the recommendations in this section and proceed to the Conditional Access section.\r\n\t\t\tEnable multi-factor authentication for all roles, groups, and users that have write access or permissions to Azure resources. These include custom created objects or built-in roles such as;\r\n\t\t\t* Service Co-Administrators\r\n\t\t\t* Subscription Owners\r\n\t\t\t* Contributors\r\n ", "rationale": "Multi-factor authentication requires an individual to present a minimum of two separate forms of authentication before access is granted. Multi-factor authentication provides additional assurance that the individual attempting to gain access is who they claim to be. With multi-factor authentication, an attacker would need to compromise at least two different authentication mechanisms, increasing the difficulty of compromise and thus reducing the risk.", "impact": "Users would require two forms of authentication before any access is granted. Additional administrative time will be required for managing dual forms of authentication when enabling multi-factor authentication.", "remediation": { "text": "\r\n\t\t###### Remediate from Azure Portal \u003cbr/\u003e\r\n\r\n\t\t1. From Azure Home select the Portal Menu \r\n\t\t2. Select `Microsoft Entra ID` blade \r\n\t\t3. Under `Manage`, click `Roles and administrators`\r\n\t\t4. Take note of all users with the role `Service Co-Administrators`, `Owners` or `Contributors`\r\n\t\t5. Return to the `Overview`\r\n\t\t6. Under `Manage`, click `Users`\r\n\t\t7. Click on the `Per-User MFA` button in the top row menu \r\n\t\t8. Check the box next to each noted user \r\n\t\t9. Click `Enable MFA` \r\n\t\t10. Click `Enable`\r\n\t", "code": { "powerShell": null, "iac": null, "terraform": null, "other": null } }, "recommendation": null, "references": [ "https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication", "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-identity-management#im-4-use-strong-authentication-controls-for-all-azure-active-directory-based-access", "https://docs.microsoft.com/en-us/azure/security/fundamentals/identity-management-best-practices" ], "compliance": [ { "name": "CIS Microsoft Azure Foundations", "version": "3.0.0", "reference": "2.1.2", "profile": "Level 2" } ], "level": "medium", "tags": [ ], "rule": { "path": "aad_role_assignment", "subPath": null, "selectCondition": { }, "query": [ { "filter": [ { "include": "_ARG_0_" } ] }, { "connectOperator": "and", "filter": [ { "conditions": [ [ "ObjectType", "eq", "User" ], [ "ne", "mfaenabled" ], [ "mfaenabled", "eq", "false" ] ], "operator": "and", "whereObject": "effectiveMembers" } ] } ], "shouldExist": null, "returnObject": null, "removeIfNotExists": "true" }, "output": { "html": { "data": { "properties": { "effectiveMembers.userPrincipalName": "UPN", "effectiveMembers.objectType": "Object Type", "effectiveMembers.userType": "User Type", "displayName": "Role", "isBuiltIn": "isBuiltIn", "effectiveMembers.mfaenabled": "MFA enabled" }, "expandObject": "effectiveMembers" }, "table": "default", "decorate": [ ], "emphasis": [ ], "actions": { "objectData": { "properties": [ "*" ], "expandObject": "effectiveMembers", "limit": null }, "showGoToButton": "False", "showModalButton": "False", "directLink": null } }, "text": { "data": { "properties": { "effectiveUsers.userPrincipalName": "UPN", "effectiveUsers.objectType": "ObjectType", "effectiveUsers.id": "Id" }, "expandObject": "effectiveUsers" }, "status": { "keyName": [ "UPN" ], "message": "MFA is not enabled for {UPN}", "defaultMessage": "Ensure that multi-factor authentication is enabled for all privileged users" }, "properties": { "resourceName": "UPN", "resourceId": "id", "resourceType": "ObjectType" }, "onlyStatus": true } }, "idSuffix": "aad_privileged_users_with_mfa_disabled", "notes": [ ], "categories": [ ], "immutable_properties": [ "id" ], "id": "entraid_1140" } |