Description:

Ensure that a Multi-Factor Authentication (MFA) policy exists for all users in Microsoft Entra ID to require additional verification beyond passwords. Implementing an MFA policy significantly reduces the risk of unauthorized access, protects sensitive data, and mitigates identity-based attacks such as credential theft and account compromise.


Rationale:

Implementing Multi-Factor Authentication for all users reduces the risk of account compromise by preventing access with stolen passwords alone, strengthens identity security, and improves protection of critical systems and sensitive data.


Impact:

Implementing MFA for all users minimizes the risk of account compromise by preventing access with stolen passwords alone. It strengthens identity security, reduces exposure to phishing and brute-force attacks, and ensures better protection of critical systems and data.


Pre-requisites:

  • Microsoft Entra ID (Azure Active Directory) subscription.

  • Global Administrator or Conditional Access Administrator permissions.

  • Users must be part of Microsoft Entra ID (Azure AD) and have valid accounts.

  • MFA should be available and supported in the organization’s environment.


Test Plan:

  1. Sign in to the Azure Portal at https://portal.azure.com

  2. Search for Microsoft Entra ID and open it

  3. Under the Manage section, select Security

  4. Open Conditional Access

  5. Select Policies

  6. Review existing Conditional Access policies

  7. Verify a policy exists that requires Multi-Factor Authentication for all users

  8. Verify the policy is enabled

  9. If an MFA policy for all users is not configured or not enabled, follow the implementation steps


Implementation Steps:

  1. Sign in to the Azure Portal at https://portal.azure.com 

  2. Search for Microsoft Entra ID and open it

  3. Under the Manage section, select Security

                                        

  1. Under the protect, open Conditional Access

                                 

  1. Select Policies and create a new policy

            

  1. Configure the policy to include all users and all cloud apps

  2. Set the grant control to require multi-factor authentication

  3. Enable and save the policy

Backup:

  1. Sign in to the Azure Portal at https://portal.azure.com 

  2. Open Microsoft Entra ID

  3. Under the Manage section, select Security and open Conditional Access

  4. Select Policies and locate the MFA policy applied to all users

  5. Disable or delete the policy

  6. Save the changes

References: