MFA reduces organizational risk and helps achieving regulatory compliance by providing an additional layer of security on top of the existing user credentials, using a second form of authentication to secure employee, customer, and partner access.
Multi-factor authentication requires an individual to present a minimum of two separate forms of authentication before access is granted. Multi-factor authentication provides additional assurance that the individual attempting to gain access is who they claim to be. With multi-factor authentication, an attacker would need to compromise at least two different authentication mechanisms, increasing the difficulty of compromise and thus reducing the risk.
Users would require two forms of authentication before any action is granted. Also, this requires overhead for managing dual forms of authentication.
By default, multi-factor authentication is disabled for all users.
Go to Azure Active Directory
Go to Users
Go to All Users
- Click on Per-user MFA(Multi-Factor Authentication) button on the top bar
- Check whether MULTI-FACTOR AUTH STATUS is Enabled or disabled
Microsoft Graph API
For Every Subscription, For Every Tenant
Step 1: Identify Users with non-administrative Access
List All Users Using Microsoft Graph API:
Capture id and corresponding userPrincipalName ($uid, $userPrincipalName)
List all Role Definitions Using Azure management API:
Capture Role Definition IDs/Name ($name) and role names ($properties/roleName) where "properties/roleName" does NOT contain (Owner or *contributor or admin )
List All Role Assignments (Mappings $A.uid to $B.Name) Using Azure Management API:
Find all non-administrative roles ($B.name) in "Properties/roleDefinationId" mapped with user ids ($A.id) in "Properties/principalId" where "Properties/principalType" == "User" D> Now Match ($CProperties/principalId) with $A.uid and get $A.userPrincipalName save this as D.userPrincipleName
Step 2: Run MSOL Powershell command: