Description:
MFA reduces organizational risk and helps achieving regulatory compliance by providing an additional layer of security on top of the existing user credentials, using a second form of authentication to secure employee, customer, and partner access.
Rationale:
Multi-factor authentication requires an individual to present a minimum of two separate forms of authentication before access is granted. Multi-factor authentication provides additional assurance that the individual attempting to gain access is who they claim to be. With multi-factor authentication, an attacker would need to compromise at least two different authentication mechanisms, increasing the difficulty of compromise and thus reducing the risk.
Impact:
Users would require two forms of authentication before any action is granted. Also, this requires overhead for managing dual forms of authentication.
Default Value:
By default, multi-factor authentication is disabled for all users.
Audit:
Go to Azure Active Directory
Go to Users
Go to All Users
- Click on Per-user MFA(Multi-Factor Authentication) button on the top bar
- Check whether MULTI-FACTOR AUTH STATUS is Enabled or disabled
Microsoft Graph API
For Every Subscription, For Every Tenant
Step 1: Identify Users with non-administrative Access
List All Users Using Microsoft Graph API:
GET https://graph.microsoft.com/v1.0/users
Capture id and corresponding userPrincipalName ($uid, $userPrincipalName)
List all Role Definitions Using Azure management API:
https://management.azure.com/subscriptions/:subscriptionId/providers/Microsof t.Authorization/roleDefinitions?api-version=2017-05-01
Capture Role Definition IDs/Name ($name) and role names ($properties/roleName) where "properties/roleName" does NOT contain (Owner or *contributor or admin )
List All Role Assignments (Mappings $A.uid to $B.Name) Using Azure Management API:
GET https://management.azure.com/subscriptions/:subscriptionId/providers/Microsof t.Authorization/roleassignments?api-version=2017-10-01-preview
Find all non-administrative roles ($B.name) in "Properties/roleDefinationId" mapped with user ids ($A.id) in "Properties/principalId" where "Properties/principalType" == "User" D> Now Match ($CProperties/principalId) with $A.uid and get $A.userPrincipalName save this as D.userPrincipleName
Step 2: Run MSOL Powershell command:Get-MsolUser -All | where {$_.StrongAuthenticationMethods.Count -eq 0} | Select-Object -Property UserPrincipalName
If the output contains any of the $D.userPrincipleName, then this recommendation is non- compliant.
Remediation:
Pre-requisites:
A working Azure AD tenant with at least an Azure AD Premium P1 or trial license enabled.
An account with global administrator privileges. Some MFA settings can also be managed by an Authentication Policy Administrator.
Implementation Steps:
Go to Azure Active Directory
Go to Users
Go to All Users
- Click on Per-user MFA(Multi-Factor Authentication) button on the top bar
- Select the user, click on Enable, and in the popup, Click on ENABLE MULTI-FACTOR AUTH to enable MFA
Backout Plan:
Go to Azure Active Directory
Go to Users
Go to All Users
Click on Multi-Factor Authentication button on the top bar
Select the user, click on Disable, to disable MFA
Note:
Please note that at this point in time, there is no API/CLI mechanism available to programmatically conduct a security assessment for this recommendation. The only option is MSOL.
References:
https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor- authentication
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto- mfa-userstates
https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls- v2-identity-management#im-4-use-strong-authentication-controls-for-all-azure- active-directory-based-access