rules/findings/EntraID/IAM/CIS3.0/entra-iam-users-disabled-mfa.json
|
{
"args": [ ], "provider": "EntraID", "serviceType": "Entra Identity Governance", "serviceName": "Microsoft Entra ID", "displayName": "Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users", "description": " ###### IMPORTANT - Please read the section overview: If your organization pays for Microsoft Entra ID licensing (included in Microsoft 365 E3, E5, or F5, and EM&S E3 or E5 licenses) and CAN use Conditional Access, ignore the recommendations in this section and proceed to the Conditional Access section. <br/> Enable multi-factor authentication for all non-privileged users.", "rationale": "Multi-factor authentication requires an individual to present a minimum of two separate forms of authentication before access is granted. Multi-factor authentication provides additional assurance that the individual attempting to gain access is who they claim to be. With multi-factor authentication, an attacker would need to compromise at least two different authentication mechanisms, increasing the difficulty of compromise and thus reducing the risk.", "impact": "Users would require two forms of authentication before any access is granted. Also, this requires an overhead for managing dual forms of authentication.", "remediation": { "text": " ###### Remediate from Azure Portal 1. From Azure Home select the Portal Menu 2. Select `Microsoft Entra ID` blade 3. Under `Manage`, click `Users` 4. Click on the `Per-User MFA` button in the top row menu 5. Check the box next to each user 6. Click `Enable MFA` 7. Click `Enable` ", "code": { "powerShell": null, "iac": null, "terraform": null, "other": null } }, "recommendation": null, "references": [ "https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication", "https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates", "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-identity-management#im-4-use-strong-authentication-controls-for-all-azure-active-directory-based-access", "https://docs.microsoft.com/en-us/azure/security/fundamentals/identity-management-best-practices" ], "compliance": [ { "name": "CIS Microsoft Azure Foundations", "version": "3.0.0", "reference": "2.1.3", "profile": "Level 2" } ], "level": "medium", "tags": [ ], "rule": { "path": "aad_domain_users", "subPath": null, "selectCondition": { }, "query": [ { "filter": [ { "conditions": [ [ "mfaenabled", "ne", "" ], [ "mfaenabled", "eq", "false" ] ], "operator": "and" } ] } ], "shouldExist": null, "returnObject": null, "removeIfNotExists": "true" }, "output": { "html": { "data": { "properties": { "userPrincipalName": "User Principal Name", "objectType": "Object Type", "userType": "User Type", "mfaenabled": "MFA enabled" }, "expandObject": null }, "table": "Normal", "decorate": [ ], "emphasis": [ ], "actions": { "objectData": { "properties": [ "*" ], "expandObject": null, "limit": null }, "showGoToButton": "False", "showModalButton": "False", "directLink": null } }, "text": { "data": { "properties": { }, "expandObject": null }, "status": { "keyName": [ ], "message": "MFA is not enabled for all non privileged users", "defaultMessage": null }, "properties": { "resourceName": null, "resourceId": null, "resourceType": null }, "onlyStatus": true } }, "idSuffix": "aad_users_with_mfa_disabled", "notes": [ ], "categories": [ ] } |