Detections
Analytics
Missing MFA for Non-Privileged Account
MEDIUM
Language:
Description
This IoE cannot work without a Microsoft Entra ID P1 or P2 license due to data availability restrictions by Microsoft. Therefore, it will not return any result on Entra ID Free tenants.
Multi-Factor Authentication (MFA), or previously Two-Factor Authentication (2FA), provides strong protection for accounts against weak or breached passwords. Security best practices and standards recommend that you enable MFA, even for non-privileged accounts. When an attacker obtains a user password by any method, MFA blocks authentication by requesting an additional factor such as a time-expiring code from a mobile application, a physical token, a biometric feature, etc.
This Indicator of Exposure alerts you when an account does not have a registered MFA method or if you enforce MFA without registering a method, which can allow attackers with a password to register their own MFA methods and create a security risk. However, this Indicator of Exposure cannot report on whether or not Microsoft Entra ID enforces MFA as Conditional Access Policies may require MFA depending on dynamic criteria.
You can also use the "Authentication methods activity" and "MFA Reports" features in Entra ID.
See also the related IOE, "Missing MFA for Privileged Account", for privileged accounts.
Disabled users are ignored since they cannot be abused immediately by attackers, and also because of a limitation of the Microsoft Graph API which reports an incorrect MFA status for disabled users.
Solution
All reported even non-privileged users must register MFA methods and have MFA enforced to increase their protection against password attacks.
For Microsoft Entra ID, Microsoft offers a Conditional Access Policy template called Require MFA for all users. This policy prompts users to register an MFA method the first time they authenticate following MFA enforcement. We recommend that you follow the "Plan a Conditional Access deployment" Microsoft documentation.
Read more about Microsoft Entra MFA in this section of the Microsoft Entra authentication documentation (check also related pages).
Indicator Details
Name: Missing MFA for Non-Privileged Account
Codename: MISSING-MFA-FOR-NON-PRIVILEGED-ACCOUNT
Severity: Medium
- Tactic: TA0001 - Initial Access
- Techniques: T1078.004 - Valid Accounts: Cloud Accounts
- Tactic: TA0004 - Privilege Escalation
- Techniques: T1098 - Account Manipulation
- Tactic: TA0006 - Credential Access