iCompaas Support

Description:

Ensure Multi-Factor Authentication (MFA) is required for Azure management access by enforcing MFA through Microsoft Entra ID Conditional Access. This control protects Azure management operations by requiring additional authentication for access to the Azure portal, Azure PowerShell, Azure CLI, ARM APIs, and other Azure management interfaces, reducing the risk of unauthorized administrative actions.

Rationale:

Without MFA enforcement on Azure management endpoints, attackers who obtain or guess a password could modify or destroy cloud resources. MFA significantly reduces the likelihood of unauthorised administrative access. This requirement aligns with zero-trust principles and security best practices, ensuring only verified users can access Azure management tools.

Impact:

• Prevents unauthorised users from performing management operations

• Strengthens identity protection and reduces credential-based attacks

• Ensures compliance with major security frameworks (CIS, NIST, ISO, SOC2)

Default Value:

MFA for Azure management is not enabled by default. Conditional Access must be configured manually.

Pre-Requisites:

• Microsoft Entra ID P1 or P2 license

• Conditional Access permissions (Security Administrator, Global Administrator)

• Cloud apps list, including Microsoft Azure Management endpoints

Test Plan:

1. Sign in to the Azure Portal at https://portal.azure.com.

2. Open Microsoft Entra ID

3. Under the Manage section, select Security 

4. Under the protect, open Conditional Access and Select Policies

5. Review existing Conditional Access policies

6. Verify a policy exists that targets Microsoft Azure Management and requires Multi-Factor Authentication

7. Verify the policy applies to the intended users and is enabled

8. If MFA is not required for Azure management access, follow the implementation steps

Implementation steps:

1. Sign in to the Azure Portal at https://portal.azure.com

2. Open Microsoft Entra ID

3. Under the Manage section, select Security

4. Under the Protect section, open Conditional Access and select Policies

5. Select Create new policy

6. Configure Users to include the intended users

7. Configure Cloud apps to target Microsoft Azure Management

8. Configure Grant controls to require Multi-Factor Authentication

9. Enable the policy and save the configuration

Backout Plan:

1. Sign in to the Azure Portal at https://portal.azure.com

2. Open Microsoft Entra ID

3. Under the Manage section, select Security

4. Under the Protect section, open Conditional Access and select Policies

5. Select the Conditional Access policy enforcing MFA for Azure management

6. Disable or delete the policy

7. Save the changes

Reference:

• https://learn.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-policy-azure-management

• https://learn.microsoft.com/azure/active-directory/conditional-access/overview