MS.AAD.3.5v1 - The authentication methods SMS, Voice Call, and Email One-Time Passcode (OTP) SHALL be disabled.

Information

SMS, voice call, and email OTP are the weakest authenticators. This policy forces users to use stronger MFA methods.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

1. In Microsoft Entra admin center , click Security > Authentication methods
2. Click on the SMS, Voice Call, and Email OTP authentication methods and disable each of them. Their statuses should be Enabled > No on the Authentication methods > Policies page.

See Also

https://github.com/cisagov/ScubaGear/tree/v1.5.0/

Item Details

Category: ACCESS CONTROL, SECURITY ASSESSMENT AND AUTHORIZATION, CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|AC-2, 800-53|AC-4, 800-53|AC-6, 800-53|CA-7, 800-53|CM-2, 800-53|CM-5, 800-53|CM-6, 800-53|IA-2, 800-53|IA-3, 800-53|IA-5, 800-53|IA-9, 800-53|SC-7, 800-53|SC-20, 800-53|SC-44, 800-53|SI-3, 800-53|SI-4, 800-53|SI-8

Plugin: microsoft_azure

Control ID: 5724dbba21e6ca9f268569a150b3e0d06b6d55fa33318152d643eda7197f846e