Description:
Do not allow users to remember multi-factor authentication on devices. When you restore MFA authentication on all remembered devices for a user, the user will be challenged to perform two-step verification the next time they sign in, regardless of whether or not they chose to mark their device as trusted.
Rationale:
Remembering Multi-Factor Authentication(MFA) for devices and browsers allows users to have the option to bypass MFA for a set number of days after performing a successful sign- in using MFA. This can enhance usability by minimizing the number of times a user may need to perform two-step verification on the same device.
Impact:
For every login attempt, the user will be required to perform multi-factor authentication.
Default Value:
By default, "Allow users to remember multi-factor authentication on devices they trust" is disabled.
Audit:
Go to Azure Active Directory
Go to Users
Go to All Users
Click on Per-user MFA(Multi-Factor Authentication) button on the top bar
Click on service settings
Check that Allow users to remember multi-factor authentication on devices they trust is not enabled
Remediation:
Pre-Requisite:
A working Azure AD tenant with at least an Azure AD Premium P1 or trial license enabled.
An account with global administrator privileges.
Implementation:
Go to Azure Active Directory
Go to Users
Go to All Users
Click on Per-user MFA(Multi-Factor Authentication) button on the top bar
Click on service settings
Disable Allow users to remember multi-factor authentication on devices they trust
Backout Plan:
Go to Azure Active Directory
Go to Users
Go to All Users
- Click on Per-user MFA button on the top bar
Click on service settings
Enable “Allow users to remember multi-factor authentication on devices they trust”
Note:
Please note that at this point in time, there is no API/CLI mechanism available to programmatically conduct a security assessment for this recommendation.
References:
https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor- authentication-whats-next#remember-multi-factor-authentication-for-devices-that- users-trust
https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls- v2-identity-management#im-4-use-strong-authentication-controls-for-all-azure- active-directory-based-access