5.2.2.2 Ensure multifactor authentication is enabled for all users

Information

Enable multifactor authentication for all users in the Microsoft 365 tenant. Users will be prompted to authenticate with a second factor upon logging in to Microsoft 365 services. The second factor is most commonly a text message to a registered mobile phone number where they type in an authorization code, or with a mobile application like Microsoft Authenticator.

Rationale:

Multifactor authentication requires an individual to present a minimum of two separate forms of authentication before access is granted. Multifactor authentication provides additional assurance that the individual attempting to gain access is who they claim to be. With multifactor authentication, an attacker would need to compromise at least two different authentication mechanisms, increasing the difficulty of compromise and thus reducing the risk.

Impact:

Implementation of multifactor authentication for all users will necessitate a change to user routine. All users will be required to enroll in multifactor authentication using phone, SMS, or an authentication application. After enrollment, use of multifactor authentication will be required for future authentication to the environment.

Note: Organizations that have difficulty enforcing MFA globally due lack of the budget to provide company owned mobile devices to every user, or equally are unable to force end users to use their personal devices due to regulations, unions, or policy have another option. FIDO2 Security keys may be used as a stand in for this recommendation. They are more secure, phishing resistant, and are affordable for an organization to issue to every end user.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

To remediate using the UI:

Navigate to the Microsoft Entra admin center https://entra.microsoft.com.

Click expand Protection > Conditional Access select Policies.

Click New policy.

Go to Assignments > Users and groups > Include > select All users (and do not exclude any user).

Select Cloud apps or actions > All cloud apps (and don't exclude any apps).

Access Controls > Grant > Require multi-factor authentication.

Set Enable policy to Report-only or On.

Create.

Note: Report-only is an acceptable first stage when introducing any CA policy. The control, however, is not complete until the policy is on.

Default Value:

Disabled

See Also

https://workbench.cisecurity.org/benchmarks/15279

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-2(1), 800-53|IA-2(2), CSCv7|16.3

Plugin: microsoft_azure

Control ID: b38196e3cf43228d4608586da86e7b6133dce480e638f12db66ac9a51fd78836