Description:

Enable multi-factor authentication for all user credentials who have write access to Azure resources. These include roles like

  • Service Co-Administrators

  • Subscription Owners

  • Contributors


Rationale:

Multi-factor authentication requires an individual to present a minimum of two separate forms of authentication before access is granted. With multi-factor authentication, an attacker would need to compromise at least two different authentication mechanisms, increasing the difficulty of compromise and thus reducing the risk.


Impact:

Users would require two forms of authentication before any action is granted. Also, this requires overhead for managing dual forms of authentication.


Default Value:

By default, multi-factor authentication is disabled for all users.


Audit:

From Azure Console

  1. After Signing in to your azure account from Azure Console.

  2. Go to Azure Active Directory

  3. Go to Users

  4. Go to All Users

  5. Click on Per-user MFA(Multi-Factor Authentication) button on the top bar

  6. Check that MULTI-FACTOR AUTH STATUS is Enabled for all users who are Service Co-Administrators OR Owners OR Contributors.


Remediation:

Pre-Requisite:

  1. A working Azure AD tenant with at least an Azure AD Premium P1 or trial license enabled.

  2. An account with global administrator privileges.


Implementation Steps:

  1. Go to Azure Active Directory

  2. Go to Users

  3. Go to All Users

  4. Click on Per-user MFA(Multi-Factor Authentication) button on the top bar


  5. Select the user, click on Enable, and in the popup, Click on ENABLE MULTI-FACTOR AUTH  to enable MFA 


Backout Plan:

  1. Go to Azure Active Directory

  2. Go to Users

  3. Go to All Users

  4. Click on Multi-Factor Authentication button on the top bar

  5. Select the user, click on Disable, to disable MFA 


Microsoft Graph API


For Every Subscription, For Every Tenant
Step 1: Identify Users with Administrative Access

  1. List All Users Using Microsoft Graph API:

    GET https://graph.microsoft.com/v1.0/users Capture id and corresponding userPrincipalName ($uid, $userPrincipalName)
  2. List all Role Definitions Using Azure management API:

    https://management.azure.com/subscriptions/:subscriptionId/providers/Microsoft.Authorization/roleDefinitions?api-version=2017-05-01Capture Role Definition IDs/Name ($name) and role names ($properties/roleName) where"properties/roleName" contains (Owner or *contributor or admin )
  3. List All Role Assignments (Mappings $A.uid to $B.name) Using Azure Management
    API:

    GET
    https://management.azure.com/subscriptions/:subscriptionId/providers/Microsoft.Authorization/roleassignments?api-version=2017-10-01-preview

    Find all administrative roles ($B.name) in "Properties/roleDefinitionId" mapped with
    user ids ($A.id) in "Properties/principalId" where "Properties/principalType" ==
    "User"

  4. Now Match ($CProperties/principalId) with $A.uid and get
    $A.userPrincipalName save this as D.userPrincipalName
    Step 2: Run MSOL Powershell command:

    Get-MsolUser -All | where {$_.StrongAuthenticationMethods.Count -eq 0} |Select-Object -Property UserPrincipalName

    If the output contains any of the $D.userPrincipalName, then this recommendation is non-
    compliant.