Description:

Do not allow users to remember multi-factor authentication on devices. When you restore MFA authentication on all remembered devices for a user, the user will be challenged to perform two-step verification the next time they sign in, regardless of whether or not they chose to mark their device as trusted.


Rationale:

Remembering Multi-Factor Authentication(MFA) for devices and browsers allows users to have the option to bypass MFA for a set number of days after performing a successful sign- in using MFA. This can enhance usability by minimizing the number of times a user may need to perform two-step verification on the same device. 


Impact:

For every login attempt, the user will be required to perform multi-factor authentication.


Default Value:

By default, "Allow users to remember multi-factor authentication on devices they trust" is disabled.


Audit:

  1. Go to Azure Active Directory

  2. Go to Users

  3. Go to All Users

  4. Click on Per-user MFA(Multi-Factor Authentication) button on the top bar


  5. Click on service settings

  6. Check that Allow users to remember multi-factor authentication on devices they trust is not enabled


Remediation:

Pre-Requisite:

  1. A working Azure AD tenant with at least an Azure AD Premium P1 or trial license enabled.

  2. An account with global administrator privileges.


Implementation:

  1. Go to Azure Active Directory

  2. Go to Users

  3. Go to All Users

  4. Click on Per-user MFA(Multi-Factor Authentication) button on the top bar


  5. Click on service settings

  6. Disable Allow users to remember multi-factor authentication on devices they trust



Backout Plan:

  1. Go to Azure Active Directory

  2. Go to Users

  3. Go to All Users

  4. Click on Per-user MFA button on the top bar
  5. Click on service settings

  6. Enable “Allow users to remember multi-factor authentication on devices they trust”  


Note:

Please note that at this point in time, there is no API/CLI mechanism available to programmatically conduct a security assessment for this recommendation.


References:

  1. https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor- authentication-whats-next#remember-multi-factor-authentication-for-devices-that- users-trust

  2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls- v2-identity-management#im-4-use-strong-authentication-controls-for-all-azure- active-directory-based-access