Description:
Joining devices to the active directory should require Multi-factor authentication.
Rationale:
Multi-factor authentication is recommended when adding devices to Azure AD. When set to "Yes", users who are adding devices from the internet must first use the second method of authentication before their device is successfully added to the directory. This ensures that rogue devices are not added to the directory for a compromised user account.
Impact:
Users who are adding devices from the internet must add a second method of authentication.
Default Value:
By default, Require Multi-Factor Auth to join devices is set to No.
Audit:
Sign in to your Azure account.
Go to Azure Active Directory
Go to Devices
Go to Device settings
Check the Require Multi-Factor Auth to join devices setting(In this scenario it is set to No as default)
Remediation:
Pre-requisites:
Azure account
Azure AD associated with the subscription
User with appropriate privileges to change the setting
Implementation Steps:
Go to Azure Active Directory
Go to Devices
Go to Device settings
Set Require Multi-Factor Auth to join devices to Yes and click on Save
Backout Plan:
Go to Azure Active Directory
Go to Devices
Go to Device settings
Set Require Multi-Factor Auth to join devices to No and click on Save
Note: This setting does not apply to hybrid Azure AD joined devices, Azure AD joined VMs in Azure and Azure AD joined devices using Windows Autopilot self-deployment mode.
References:
https://blogs.technet.microsoft.com/janketil/2016/02/29/azure-mfa-for- enrollment-in-intune-and-azure-ad-device-registration-explained/
https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls- v2-identity-management#im-4-use-strong-authentication-controls-for-all-azure- active-directory-based-access