MFA Not Required for a Privileged Role

Multi-Factor Authentication (MFA), formerly known as Two-Factor Authentication (2FA), offers robust protection for accounts against the vulnerabilities associated with weak or compromised passwords. Adhering to best practices and industry standards, it is advisable to enable MFA, especially for privileged accounts which are prime targets for attackers, and any compromise could have significant consequences.

When an attacker obtains a user password through any means, MFA blocks authentication by requesting an additional factor such as a time-expiring code from a mobile application, a physical token, a biometric feature, etc.

This Indicator of Exposure alerts you when a privileged role does not require MFA, impacting privileged users granted that specific privileged role. With Microsoft Entra ID, you can enable MFA through different methods:

• Security defaults: Preconfigured security settings that include the mandatory use of multi-factor authentication for administrators. Enabling this setting simultaneously activates multiple security features as recommended by Microsoft.
• Conditional Access: Policies specify events or applications necessitating MFA. These policies can allow regular MFA sign-ins for administrators. Note: This feature requires a Microsoft Entra ID P1 license or higher and does not come in the Microsoft Entra ID Free. It is particularly recommended for mature organizations with complex security needs seeking to define precisely their authentication criteria.
• Per-user MFA: Per-user MFA is a legacy service that you should replace according to Microsoft with the newer Security defaults or Conditional Access policies. Therefore, due to lack of support in the Microsoft Graph API, this Indicator of Exposure cannot determine if users with a privileged role are using and enforcing legacy per-user MFA.

Security defaults and Conditional Access are mutually exclusive; you cannot use them simultaneously. Note that Conditional Access policies can only target built-in Entra roles, excluding administrative unit-scoped roles and custom roles.

All reported privileged Entra roles must require MFA to increase the protection of their assigned users against credential attacks.

For Microsoft Entra ID, Microsoft offers a Conditional Access Policy template called Require MFA for administrators. This policy prompts users to register an MFA method the first time they authenticate following MFA enforcement. Tenable recommends that you follow the Microsoft documentation "Plan a Conditional Access deployment" to ensure proper planning and change management, as well as mitigate the risk of locking yourself out. Alternatively, security defaults can fulfill this objective by mandating multi-factor authentication for administrators. This includes the activation of various other Microsoft-recommended security features. Thoroughly assess in advance whether any of these changes might lead to regression or unintended side effects in your environment.

Name: MFA Not Required for a Privileged Role

Codename: MFA-NOT-REQUIRED-FOR-A-PRIVILEGED-ROLE

Severity: High

Type: Microsoft Entra ID Indicator of Exposure