Description:
This control ensures that all non-privileged user accounts have Multi-Factor Authentication enabled to provide an additional layer of identity protection. Enabling MFA helps prevent unauthorized access by requiring a second verification method during login, significantly improving security against phishing, credential theft, and account misuse.
Rationale:
Non-privileged accounts are common targets for cyberattacks. Enabling MFA reduces the risk of unauthorized access by ensuring that compromised passwords alone cannot be used, helping protect corporate data and preventing attackers from gaining access to internal systems.
Impact:
Users will experience an extra authentication step during login, which may slightly increase sign-in time. However, this improves overall system security, reduces account compromise risk, and strengthens trust in access control mechanisms across the organization.
Pre-requisites:
Global Administrator or Security Administrator access to Microsoft Entra ID
Non-privileged users exist in Microsoft Entra ID.
Test Plan:
Sign in to the Azure Portal at https://portal.azure.com
Search for Microsoft Entra ID and open it
Select Users under Manage
Open Per-user MFA
Review all non-privileged users
Verify Multi-Factor Auth Status is set to Enabled or Enforced for each non-privileged user
If Multi-Factor Auth Status is not Enabled or Enforced, follow the implementation steps
Implementation Steps:
Sign in to the Azure Portal at https://portal.azure.com
Search for Microsoft Entra ID and open it
Select Users under Manage
Open Per-user MFA
Select the non-privileged user with Multi-Factor Auth Status set to Disabled
Click Enable
Confirm the action and save
Backup:
Sign in to the Azure Portal at https://portal.azure.com.
Search for Microsoft Entra ID and open it
Select Users under Manage
Open Per-user MFA
Select the changed non-privileged user
Change Multi-Factor Auth Status from Enabled or Enforced to Disabled