5.2.3.4 Ensure all member users are 'MFA capable'

Information

Microsoft defines Multifactor authentication capable as being registered and enabled for a strong authentication method. The method must also be allowed by the authentication methods policy.

Ensure all member users are MFA capable.

Rationale:

Multifactor authentication requires an individual to present a minimum of two separate forms of authentication before access is granted.

Users who are not MFA Capable have never registered a strong authentication method for multifactor authentication that is within policy and may not be using MFA. This could be a result of having never signed in, exclusion from a Conditional Access (CA) policy requiring MFA, or a CA policy does not exist. Reviewing this list of users will help identify possible lapses in policy or procedure.

Impact:

When using the UI audit method guest users will appear in the report and unless the organization is applying MFA rules to guests then they will need to be manually filtered. Accounts that provide on-premises directory synchronization also appear in these reports.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Remediation steps will depend on the status of the personnel in question or configuration of Conditional Access policies and will not be covered in detail. Administrators should review each user identified on a case-by-case basis using the conditions below.

User has never signed on:

Employment status should be reviewed, and appropriate action taken on the user account's roles, licensing and enablement.

Conditional Access policy applicability:

Ensure a CA policy is in place requiring all users to use MFA.

Ensure the user is not excluded from the CA MFA policy.

Ensure the policy's state is set to On.

Use What if to determine applicable CA policies. (Protection > Conditional Access > Policies)

Review the user account in Sign-in logs. Under the Activity Details pane click the Conditional Access tab to view applied policies.

Note: Conditional Access is covered step by step in section 5.2.2

See Also

https://workbench.cisecurity.org/benchmarks/15279

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-2(1), 800-53|IA-2(2), CSCv7|16.3

Plugin: microsoft_azure

Control ID: 5714d47cac2fcb9cafd849d15193492fb779d53537bca94675304fb6f414c543