iCompaas Support

Description:

A Multi-Factor Authentication (MFA) policy ensures that all users are required to authenticate with more than just a password when accessing resources. This enhances security by requiring users to provide additional proof of their identity, such as a code sent via SMS, an app-based authentication code, or a biometric scan. Creating an MFA policy for all users helps protect against password theft, phishing, and other common attacks.

Rationale:

Enforcing MFA for all users ensures that unauthorized access is prevented, even if a user's password is compromised. MFA is an essential component of modern identity protection, and organizations are increasingly required to implement it to meet regulatory and security compliance standards (e.g., GDPR, HIPAA, SOC 2).

Impact:

Implementing an MFA policy for all users significantly improves security, but it may introduce some user friction, as MFA prompts will be required each time users log in. Users must complete the MFA registration process, which could involve configuring a phone number or installing an authenticator app. Organizations need to ensure they provide proper user support and clear instructions during the registration process.

Default Value:

By default, MFA is not enabled for all users. It needs to be manually configured and enforced via Conditional Access policies in Azure Active Directory (AAD).

Pre-requisites:

• Azure Active Directory subscription.
  

• Global Administrator or Conditional Access Administrator permissions.
  

• Users must be part of Azure AD and have valid accounts.
  

• MFA should be available and supported in the organization’s environment.
  

Audit:

1. Sign in to the Azure portal as a Global Administrator or Conditional Access Administrator.
   

2. Navigate to Azure Active Directory > Security > Conditional Access.
   

3. Ensure that there is an active Conditional Access Policy enforcing MFA for all users.
   

Implementation Steps (Manual):

1. Sign in to Azure portal:
   

   • Use an account with Global Administrator or Conditional Access Administrator permissions.
     

2. Navigate to Conditional Access Policies:
   

   • In the Azure portal, go to Azure Active Directory > Security > Conditional Access.
     

3. Create a New Conditional Access Policy:
   

   • Click on + New Policy to create a new Conditional Access policy.
     

   • Provide a descriptive name for the policy (e.g., "Enforce MFA for All Users").
     

4. Define Policy Scope:
   

   • Under Assignments > Users and groups, select All Users or specific groups to apply the policy to. You can also select specific roles if you want to enforce MFA for particular users (e.g., administrators).
     

   • Under Cloud apps or actions, select All cloud apps to apply the policy to all Azure applications or specify individual applications if needed.
     

5. Configure MFA Enforcement:
   

   • Under Conditions, configure any additional conditions (e.g., device platform, locations) if required. You can skip this if you want the policy to apply universally.
     

   • Under Access controls, select Grant > Grant access and check the box for Require multi-factor authentication.
     

   • This ensures that MFA will be required for all users when they sign in.
     

6. Enable the Policy:
   

   • After configuring the policy, select Enable policy to activate it. You can also configure the policy to be in Report-only mode first to monitor the impact before enforcement.
     

7. Test MFA Setup:
   

   • After enabling the policy, test the configuration by signing in with a user account that is subject to the MFA policy.
     

   • Confirm that users are prompted to register for MFA if they haven’t already done so and that MFA is enforced on sign-in.
     

8. Monitor and Review:
   

   • Use Azure AD Sign-in Logs to monitor users' sign-in attempts and verify that MFA is being applied.
     

   • Review the logs regularly to ensure compliance and detect any failed login attempts due to MFA challenges.
     

Backout Plan (Manual):

1. Sign in to Azure portal:
   

   • Use an account with Global Administrator or Conditional Access Administrator privileges.
     

2. Navigate to Conditional Access Policies:
   

   • Go to Azure Active Directory > Security > Conditional Access.
     

3. Disable or Remove the MFA Policy:
   

   • Locate the Conditional Access policy you created to enforce MFA for all users.
     

   • You can either disable the policy or remove it entirely.
     

   • To disable, toggle the Enable policy option to No.
     

4. Test Reverted Access:
   

   • After disabling or removing the policy, test the sign-in process to ensure that MFA is no longer being enforced and that users can access the resources without MFA.
     

5. Review Access Logs:
   

   • Review the sign-in logs to ensure that users can still log in without MFA after the backout.
     

References:

• Azure AD Conditional Access - MFA
  

• Azure AD - Set Up Conditional Access Policies
  

• Enable or Disable Multi-Factor Authentication in Azure AD