Information
For designated users, they will be prompted to use their multi-factor authentication (MFA) process on login.
Rationale:
Enabling multi-factor authentication is a recommended setting to limit the use of Administrative accounts to authenticated personnel.
Impact:
There is an increased cost, as Conditional Access policies require Azure AD Premium. Similarly, MFA may require additional overhead to maintain. There is also a potential scenario in which the multi-factor authentication method can be lost, and administrative users are no longer able to log in. For this scenario, there should be an emergency access account. Please see References for creating this.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
From Azure Portal
From Azure Home open the Portal Menu in top left, and select Azure Active Directory.
Scroll down in the menu on the left, and select Security.
Select on the left side Conditional Access.
Click the + New policy
Default Value:
By default, MFA is not enabled for any administrative accounts.