5.2.2.5 Ensure 'Phishing-resistant MFA strength' is required for Administrators

Information

Authentication strength is a Conditional Access control that allows administrators to specify which combination of authentication methods can be used to access a resource. For example, they can make only phishing-resistant authentication methods available to access a sensitive resource. But to access a non-sensitive resource, they can allow less secure multifactor authentication (MFA) combinations, such as password + SMS.

Microsoft has 3 built-in authentication strengths. MFA strength, Passwordless MFA strength, and Phishing-resistant MFA strength. Ensure administrator roles are using a CA policy with Phishing-resistant MFA strength.

Administrators can then enroll using one of 3 methods:

FIDO2 Security Key

Windows Hello for Business

Certificate-based authentication (Multi-Factor)

Note: Additional steps to configure methods such as FIDO2 keys are not covered here but can be found in related MS articles in the references section. The Conditional Access policy only ensures 1 of the 3 methods is used.

Warning: Administrators should be pre-registered for a strong authentication mechanism before this Conditional Access Policy is enforced. Additionally, as stated elsewhere in the CIS Benchmark a break-glass administrator account should be excluded from this policy to ensure unfettered access in the case of an emergency.

Rationale:

Sophisticated attacks targeting MFA are more prevalent as the use of it becomes more widespread. These 3 methods are considered phishing-resistant as they remove passwords from the login workflow. It also ensures that public/private key exchange can only happen between the devices and a registered provider which prevents login to fake or phishing websites.

Impact:

If administrators aren't pre-registered for a strong authentication method prior to a conditional access policy being created, then a condition could occur where a user can't register for strong authentication because they don't meet the conditional access policy requirements and therefore are prevented from signing in.

Additionally, Internet Explorer based credential prompts in PowerShell do not support prompting for a security key. Implementing phishing-resistant MFA with a security key may prevent admins from running their existing sets of PowerShell scripts. Device Authorization Grant Flow can be used as a workaround in some instances.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

To remediate using the UI:

Navigate to the Microsoft Entra admin center https://entra.microsoft.com.

Click expand Protection > Conditional Access select Policies.

Click New policy.

Go to Users > Users and groups > Include > Select users and groups > Directory roles

Add at least the Directory roles listed after these steps.

Select Cloud apps or actions > All cloud apps (and don't exclude any apps).

Grant > Grant Access with Require authentication strength (Preview): Phishing-resistant MFA

Click 'Select'

Set Enable policy to Report-only and click Create

At minimum these directory roles should be included for the policy:

Application administrator

Authentication administrator

Billing administrator

Cloud application administrator

Conditional Access administrator

Exchange administrator

Global administrator

Global reader

Helpdesk administrator

Password administrator

Privileged authentication administrator

Privileged role administrator

Security administrator

SharePoint administrator

User administrator

Warning: Ensure administrators are pre-registered with strong authentication before enforcing the policy. After which the policy must be set to On.

See Also

https://workbench.cisecurity.org/benchmarks/15279

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-2(1)

Plugin: microsoft_azure

Control ID: f4ac8d63a1728f432acef0c1ee68df4018c40605c487c7dac943a91cdf9c4762