MS.AAD.3.2v1 - If phishing-resistant MFA has not been enforced, an alternative MFA method SHALL be enforced for all users.

Information

This is a stopgap security policy to help protect the tenant if phishing-resistant MFA has not been enforced. This policy requires MFA enforcement, thus reducing single-form authentication risk.

Solution

1. If phishing-resistant MFA has not been enforced for all users yet, create a conditional access policy that enforces MFA but does not dictate MFA method. Configure the following policy settings in the new conditional access policy, per the values below:

Users > Include > All users

Target resources > Cloud apps > All cloud apps

Access controls > Grant > Grant Access > Require multifactor authentication

See Also

https://github.com/cisagov/ScubaGear/tree/v1.5.0/

Item Details

Category: ACCESS CONTROL, SECURITY ASSESSMENT AND AUTHORIZATION, CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|AC-2, 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|AC-7, 800-53|AC-20, 800-53|CA-7, 800-53|CM-2, 800-53|CM-6, 800-53|IA-2, 800-53|IA-4, 800-53|IA-5, 800-53|IA-11, 800-53|SI-4

Plugin: microsoft_azure

Control ID: e7af06a69bd604b5a23ad2ba06efed4416be86c9bcd913886d1f20bab1f078a4