MS.AAD.3.6v1 - Phishing-resistant MFA SHALL be required for highly privileged roles.

Information

This is a backup security policy to help protect privileged access to the tenant if the conditional access policy, which requires MFA for all users, is disabled or misconfigured.

Solution

1. Create a conditional access policy enforcing phishing-resistant MFA for highly privileged roles. Configure the following policy settings in the new conditional access policy, per the values below:

Users > Include > Select users and groups > Directory roles > select each of the roles listed in the Highly Privileged Roles section at the top of this document

Target resources > Cloud apps > All cloud apps

Access controls > Grant > Grant Access > Require authentication strength > Phishing-resistant MFA

See Also

https://github.com/cisagov/ScubaGear/tree/v1.5.0/

Item Details

Category: ACCESS CONTROL, SECURITY ASSESSMENT AND AUTHORIZATION, CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|AC-2, 800-53|AC-3, 800-53|AC-4, 800-53|AC-5, 800-53|AC-6, 800-53|AC-7, 800-53|AC-20, 800-53|CA-7, 800-53|CM-2, 800-53|CM-5, 800-53|CM-6, 800-53|IA-2, 800-53|IA-5, 800-53|IA-9, 800-53|SA-3, 800-53|SA-4, 800-53|SA-8, 800-53|SA-10, 800-53|SA-11, 800-53|SA-15, 800-53|SA-16, 800-53|SA-17, 800-53|SC-7, 800-53|SC-20, 800-53|SC-28, 800-53|SC-44, 800-53|SI-3, 800-53|SI-4, 800-53|SI-8

Plugin: microsoft_azure

Control ID: 8eb34c2aea58fcef362376cea08eba76791a5ee2864311674f5d3aaaf47382ac