Description:
Enable multi-factor authentication for all user credentials who have write access to Azure resources. These include roles like
Service Co-Administrators
Subscription Owners
Contributors
Rationale:
Multi-factor authentication requires an individual to present a minimum of two separate forms of authentication before access is granted. With multi-factor authentication, an attacker would need to compromise at least two different authentication mechanisms, increasing the difficulty of compromise and thus reducing the risk.
Impact:
Users would require two forms of authentication before any action is granted. Also, this requires overhead for managing dual forms of authentication.
Default Value:
By default, multi-factor authentication is disabled for all users.
Audit:
From Azure Console
After Signing in to your azure account from Azure Console.
Go to Azure Active Directory
Go to Users
Go to All Users
- Click on Per-user MFA(Multi-Factor Authentication) button on the top bar
- Check that MULTI-FACTOR AUTH STATUS is Enabled for all users who are Service Co-Administrators OR Owners OR Contributors.
Remediation:
Pre-Requisite:
A working Azure AD tenant with at least an Azure AD Premium P1 or trial license enabled.
An account with global administrator privileges.
Implementation Steps:
Go to Azure Active Directory
Go to Users
Go to All Users
Click on Per-user MFA(Multi-Factor Authentication) button on the top bar
Select the user, click on Enable, and in the popup, Click on ENABLE MULTI-FACTOR AUTH to enable MFA
Backout Plan:
Go to Azure Active Directory
Go to Users
Go to All Users
Click on Multi-Factor Authentication button on the top bar
Select the user, click on Disable, to disable MFA
Microsoft Graph API
For Every Subscription, For Every Tenant
Step 1: Identify Users with Administrative Access
List All Users Using Microsoft Graph API:
GET https://graph.microsoft.com/v1.0/users Capture id and corresponding userPrincipalName ($uid, $userPrincipalName)
List all Role Definitions Using Azure management API:
https://management.azure.com/subscriptions/:subscriptionId/providers/Microsoft.Authorization/roleDefinitions?api-version=2017-05-01Capture Role Definition IDs/Name ($name) and role names ($properties/roleName) where"properties/roleName" contains (Owner or *contributor or admin )
List All Role Assignments (Mappings $A.uid to $B.name) Using Azure Management
API:GET https://management.azure.com/subscriptions/:subscriptionId/providers/Microsoft.Authorization/roleassignments?api-version=2017-10-01-preview
Find all administrative roles ($B.name) in "Properties/roleDefinitionId" mapped with
user ids ($A.id) in "Properties/principalId" where "Properties/principalType" ==
"User"Now Match ($CProperties/principalId) with $A.uid and get
$A.userPrincipalName save this as D.userPrincipalName
Step 2: Run MSOL Powershell command:Get-MsolUser -All | where {$_.StrongAuthenticationMethods.Count -eq 0} |Select-Object -Property UserPrincipalName
If the output contains any of the $D.userPrincipalName, then this recommendation is non-
compliant.Note:
Please note that at this point of time, there is no API/CLI mechanism available to programmatically conduct a security assessment for this recommendation. The only option is MSOL.
Reference: