Description:

Joining devices to the active directory should require Multi-factor authentication.


Rationale:

Multi-factor authentication is recommended when adding devices to Azure AD. When set to "Yes", users who are adding devices from the internet must first use the second method of authentication before their device is successfully added to the directory. This ensures that rogue devices are not added to the directory for a compromised user account.


Impact:

Users who are adding devices from the internet must add a second method of authentication.


Default Value:

By default, Require Multi-Factor Auth to join devices is set to No.


Audit:

  1. Sign in to your Azure account.

  2. Go to Azure Active Directory

  3. Go to Devices

  4. Go to Device settings

  5. Check the Require Multi-Factor Auth to join devices setting(In this scenario it is set to No as default)


Remediation:

Pre-requisites:

  1. Azure account

  2. Azure AD associated with the subscription

  3. User with appropriate privileges to change the setting


Implementation Steps:

  1. Go to Azure Active Directory

  2. Go to Devices

  3. Go to Device settings

  4. Set Require Multi-Factor Auth to join devices to Yes and click on Save


Backout Plan:

  1. Go to Azure Active Directory

  2. Go to Devices

  3. Go to Device settings

  4. Set Require Multi-Factor Auth to join devices to No and click on Save


Note: This setting does not apply to hybrid Azure AD joined devices, Azure AD joined VMs in Azure and Azure AD joined devices using Windows Autopilot self-deployment mode.


References: