Description:

Microsoft Entra (formerly Azure Active Directory) provides a feature that requires Multi-Factor Authentication (MFA) when users are registering or joining devices to your Azure AD environment. This ensures that only users who have passed MFA can add devices to the directory, providing an additional layer of security against unauthorized device enrollment or registration.

Enabling MFA for device registration helps ensure that any device joining your Microsoft Entra environment is being registered by an authenticated and authorized user. This is particularly important for preventing attackers from registering rogue devices that could be used to gain unauthorized access.

Rationale:

By setting "Require MFA to register or join devices" to 'Yes', you:

  • Enhance security by ensuring that only authenticated users can add devices to your Microsoft Entra (Azure AD) environment.

  • Prevent unauthorized access by ensuring that device enrollment is tightly controlled and monitored.

  • Meet compliance requirements in environments where device management is critical to security posture, such as in highly regulated sectors.

  • Control device access by ensuring only trusted users can enroll their devices, thus preventing potentially malicious devices from accessing organizational resources.

Impact:

Enabling MFA for device registration ensures that devices are registered only by users who can provide additional authentication factors beyond just their password. While this adds security, it may create an extra step in the device registration process for end-users, potentially increasing friction for onboarding new devices. However, the increased security is a worthwhile trade-off for preventing unauthorized device access.

Default Value:

By default, Microsoft Entra does not require MFA for registering or joining devices. This setting needs to be manually configured to enforce MFA for device enrollment.

Pre-requisites:

  • Azure AD tenant configured with Multi-Factor Authentication (MFA) enabled for users.

  • Administrator or Global Administrator role permissions to configure device registration policies in Microsoft Entra.

  • Microsoft Entra (Azure AD) Premium P1 or P2 license is required for full device management and MFA enrollment settings.

Audit:

  1. Sign in to Microsoft Entra (Azure AD) as an Administrator.

  2. Navigate to Security > Conditional Access and check the settings for device registration and MFA.

  3. Ensure that MFA is required for all device registration or joining operations.

Implementation Steps (Manual):

  1. Sign in to Azure portal:

    • Use an account with Global Administrator or Security Administrator permissions.

  2. Navigate to Microsoft Entra (Azure AD):

    • In the Azure portal, go to Azure Active Directory (or Microsoft Entra).

  3. Configure MFA for Device Registration:

    • Go to Security > Conditional Access.

    • Select New policy to create a new conditional access policy or select an existing one that controls access for device registration.

  4. Define the Policy Conditions:

    • Under the Assignments section, select the users or groups who should be required to authenticate via MFA when registering or joining devices.

    • Under the Cloud apps or actions section, select All cloud apps or Device Registration as the target for MFA enforcement.

  5. Set the Grant Control:

    • Under Grant, select Require multi-factor authentication.

    • This ensures that MFA is required for users trying to register or join devices to Microsoft Entra (Azure AD).

  6. Review and Create:

    • Review the configuration of your Conditional Access policy.

    • Click Create to enforce MFA for device registration.

  7. Verify MFA Enforcement for Device Registration:

    • After creating the policy, test the configuration by attempting to register or join a device to Microsoft Entra (Azure AD) with a user account that has MFA enabled.

    • Ensure that MFA is prompted during the device registration process.

  8. Monitor Registration Attempts:

    • Use Azure AD Sign-in logs to monitor attempts to register or join devices and confirm that MFA is enforced for each action.

Example Sign-in logs query in Log Analytics:

SigninLogs

| where ConditionalAccessStatus == "failure"

| where ActivityDisplayName == "Device Registration"

| take 10

Automate the Configuration via Azure CLI: To automate the enforcement of MFA for device registration, use the following Azure CLI command:

az ad conditional-access policy create \

  --name "Require MFA for Device Registration" \

  --state "enabled" \

  --grant-controls "mfa" \

  --applications "device-registration" \

  --users "All users"
  1.  This command creates a conditional access policy that requires MFA for all users during device registration.

  2. Set Up Alerts (Optional):

    • You can set up alerts in Azure Monitor to notify administrators if there are MFA failures during the device registration process.

    • In Azure Monitor, go to Alerts and create a new alert rule based on Sign-in logs and Conditional Access failure events.

Backout Plan (Manual):

  1. Sign in to Azure portal:

    • Use an account with Global Administrator or Security Administrator permissions.

  2. Navigate to Microsoft Entra (Azure AD):

    • Go to Azure Active Directory (or Microsoft Entra).

  3. Remove or Modify the Conditional Access Policy:

    • Go to Security > Conditional Access.

    • Locate the policy enforcing MFA for device registration.

    • Either delete or modify the policy to stop requiring MFA for device registration.

  4. Verify the Policy Removal:

    • After removing the policy, try registering a device and confirm that MFA is no longer required.

  5. Test the Reverted Configuration:

    • Try to register or join a device to Microsoft Entra without MFA and ensure that the process completes without MFA being triggered.

References: