rules/findings/EntraID/IAM/CIS3.0/entra-iam-users-disabled-mfa.json
|
{
"args": [ ], "provider": "EntraID", "serviceType": "Entra Identity Governance", "serviceName": "Microsoft Entra ID", "displayName": "Ensure that \u0027Multi-Factor Auth Status\u0027 is \u0027Enabled\u0027 for all Non-Privileged Users", "description": "\r\n\t\t\t###### IMPORTANT - Please read the section overview:\r\n\t\t\tIf your organization pays for Microsoft Entra ID licensing (included in Microsoft 365 E3, E5, or F5, and EM\u0026S E3 or E5 licenses) and CAN use Conditional Access, ignore the recommendations in this section and proceed to the Conditional Access section. \u003cbr/\u003e Enable multi-factor authentication for all non-privileged users.", "rationale": "Multi-factor authentication requires an individual to present a minimum of two separate forms of authentication before access is granted. Multi-factor authentication provides additional assurance that the individual attempting to gain access is who they claim to be. With multi-factor authentication, an attacker would need to compromise at least two different authentication mechanisms, increasing the difficulty of compromise and thus reducing the risk.", "impact": "Users would require two forms of authentication before any access is granted. Also, this requires an overhead for managing dual forms of authentication.", "remediation": { "text": "\r\n\t\t\t###### Remediate from Azure Portal\r\n\t\t\t1. From Azure Home select the Portal Menu\r\n\t\t\t2. Select `Microsoft Entra ID` blade\r\n\t\t\t3. Under `Manage`, click `Users`\r\n\t\t\t4. Click on the `Per-User MFA` button in the top row menu\r\n\t\t\t5. Check the box next to each user\r\n\t\t\t6. Click `Enable MFA`\r\n\t\t\t7. Click `Enable`\r\n\t", "code": { "powerShell": null, "iac": null, "terraform": null, "other": null } }, "recommendation": null, "references": [ "https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication", "https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates", "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-identity-management#im-4-use-strong-authentication-controls-for-all-azure-active-directory-based-access", "https://docs.microsoft.com/en-us/azure/security/fundamentals/identity-management-best-practices" ], "compliance": [ { "name": "CIS Microsoft Azure Foundations", "version": "3.0.0", "reference": "2.1.3", "profile": "Level 2" } ], "level": "medium", "tags": [ ], "rule": { "path": "aad_domain_users", "subPath": null, "selectCondition": { }, "query": [ { "filter": [ { "conditions": [ [ "mfaenabled", "ne", "" ], [ "mfaenabled", "eq", "false" ] ], "operator": "and" } ] } ], "shouldExist": null, "returnObject": null, "removeIfNotExists": "true" }, "output": { "html": { "data": { "properties": { "userPrincipalName": "User Principal Name", "objectType": "Object Type", "userType": "User Type", "mfaenabled": "MFA enabled" }, "expandObject": null }, "table": "default", "decorate": [ ], "emphasis": [ ], "actions": { "objectData": { "properties": [ "*" ], "expandObject": null, "limit": null }, "showGoToButton": "False", "showModalButton": "False", "directLink": null } }, "text": { "data": { "properties": { }, "expandObject": null }, "status": { "keyName": [ ], "message": "MFA is not enabled for all non privileged users", "defaultMessage": null }, "properties": { "resourceName": "userPrincipalName", "resourceId": "id", "resourceType": "EntraUser" }, "onlyStatus": true } }, "idSuffix": "aad_users_with_mfa_disabled", "notes": [ ], "categories": [ ], "immutable_properties": [ "id", "userPrincipalName" ], "id": "entraid_1142" } |