Description:

MFA reduces organizational risk and helps achieving regulatory compliance by providing an additional layer of security on top of the existing user credentials, using a second form of authentication to secure employee, customer, and partner access.


Rationale:

Multi-factor authentication requires an individual to present a minimum of two separate forms of authentication before access is granted. Multi-factor authentication provides additional assurance that the individual attempting to gain access is who they claim to be. With multi-factor authentication, an attacker would need to compromise at least two different authentication mechanisms, increasing the difficulty of compromise and thus reducing the risk.


Impact:

Users would require two forms of authentication before any action is granted. Also, this requires overhead for managing dual forms of authentication.


Default Value:

By default, multi-factor authentication is disabled for all users.


Audit:

  1. Go to Azure Active Directory

  2. Go to Users

  3. Go to All Users

  4. Click on Per-user MFA(Multi-Factor Authentication) button on the top bar
  5. Check whether MULTI-FACTOR AUTH STATUS is Enabled or disabled


Microsoft Graph API

For Every Subscription, For Every Tenant

Step 1: Identify Users with non-administrative Access

  1. List All Users Using Microsoft Graph API:

    GET https://graph.microsoft.com/v1.0/users

    Capture id and corresponding userPrincipalName ($uid, $userPrincipalName)

  2. List all Role Definitions Using Azure management API:

    https://management.azure.com/subscriptions/:subscriptionId/providers/Microsof t.Authorization/roleDefinitions?api-version=2017-05-01

    Capture Role Definition IDs/Name ($name) and role names ($properties/roleName) where "properties/roleName" does NOT contain (Owner or *contributor or admin )

  3. List All Role Assignments (Mappings $A.uid to $B.Name) Using Azure Management API:

    GET
    https://management.azure.com/subscriptions/:subscriptionId/providers/Microsof t.Authorization/roleassignments?api-version=2017-10-01-preview

    Find all non-administrative roles ($B.name) in "Properties/roleDefinationId" mapped with user ids ($A.id) in "Properties/principalId" where "Properties/principalType" == "User"                                                                         D> Now Match ($CProperties/principalId) with $A.uid and get $A.userPrincipalName save this as D.userPrincipleName


    Step 2: Run MSOL Powershell command:
    Get-MsolUser -All | where {$_.StrongAuthenticationMethods.Count -eq 0} | Select-Object -Property UserPrincipalName

    If the output contains any of the $D.userPrincipleName, then this recommendation is non- compliant.


    Remediation:

    Pre-requisites:

    1. A working Azure AD tenant with at least an Azure AD Premium P1 or trial license enabled.

    2. An account with global administrator privileges. Some MFA settings can also be managed by an Authentication Policy Administrator. 


    Implementation Steps:

    1. Go to Azure Active Directory

    2. Go to Users

    3. Go to All Users

    4. Click on Per-user MFA(Multi-Factor Authentication) button on the top bar

    5. Select the user, click on Enable, and in the popup, Click on ENABLE MULTI-FACTOR AUTH  to enable MFA 


    Backout Plan:

    1. Go to Azure Active Directory

    2. Go to Users

    3. Go to All Users

    4. Click on Multi-Factor Authentication button on the top bar

    5. Select the user, click on Disable, to disable MFA 


    Note:

    Please note that at this point in time, there is no API/CLI mechanism available to programmatically conduct a security assessment for this recommendation. The only option is MSOL.

    References:

    1. https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor- authentication

    2. https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto- mfa-userstates

    3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls- v2-identity-management#im-4-use-strong-authentication-controls-for-all-azure- active-directory-based-access