Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable MFA for Microsoft Entra Connector Directories

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that MFA using Remote Authentication Dial In User Service (RADIUS) server is enabled for your Microsoft Entra Connector directories created with Amazon WorkDocs, in order to secure the access to your resources and adhere to AWS security best practices. Microsoft Entra Connector is a directory gateway to your on-premises Microsoft Active Directory that enables the users within your on-premise Microsoft Entra ID to access Amazon WorkDocs. Multi-Factor Authentication (MFA) is a simple and efficient method of verifying a user identity by requiring an authentication code generated by a virtual device (in this case a RADIUS server), used in addition to your usual access credentials (i.e. user name and password).

Security

Having RADIUS-based MFA protection for your Microsoft Entra Connector directories is the best way to protect your services and resources against attackers. The RADIUS server signature adds an extra layer of protection on top of your existing user credentials making your Microsoft Entra Connector directories virtually impossible to penetrate without the MFA generated passcode.

Audit

To determine if your Microsoft Entra Connector directories are using Multi-Factor Authentication (MFA) with RADIUS, perform the following actions:

Note: Verifying MFA status and configuration for Microsoft Entra Connector directories using AWS Management Console is not currently supported, the feature can be enabled and configured only through AWS Command Line Interface (CLI).

Using AWS CLI

01 Run describe-directories command (OSX/Linux/UNIX) to list the identifiers of all the Microsoft Entra Connector directories, available in the selected AWS region: 

aws ds describe-directories
	--region us-east-1
	--output table
	--query 'DirectoryDescriptions[*].DirectoryId'

02 The command output should return a table with the requested resource IDs: 

---------------------
|DescribeDirectories|
+-------------------+
|   d-12345abcde    |
|   d-abcd012345    |
|   d-aabbcc1234    |
+-------------------+

03 Execute again describe-directories command (OSX/Linux/UNIX) using the ID of the Microsoft Entra Connector directory that you want to examine as identifier and custom query filters to get the status of the Remote Authentication Dial In User Service (RADIUS) MFA server connection: 

aws ds describe-directories
	--region us-east-1
	--directory-ids d-12345abcde
	--query 'DirectoryDescriptions[*].RadiusStatus'

04 The command output should return the requested status information: 

[]

If describe-directories command output returns an empty array, as shown in the example above, there is no RADIUS MFA server configured for the selected Microsoft Entra Connector directory, therefore the resource does not have Multi-Factor Authentication (MFA) protection enabled.

05 Repeat step no. 3 and 4 to determine the MFA status for other Microsoft Entra Connector directories available in the current region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the audit process for other regions.

Remediation / Resolution

To enable RADIUS-based MFA protection for your Microsoft Entra Connector directories, perform the following actions:

Note: Enabling Multi-Factor authentication for Microsoft Entra Connector directories using the AWS Management Console is not currently supported.

Using AWS CLI

01 Define the RADIUS MFA server settings required for the enable-radius command request. Create a new JSON document, name it radius-mfa-config.json, and paste the following information (replace the RADIUS configuration details specified below with your own RADIUS server details): 

{
  "RadiusServers": ["radius.cloudconformity.com"],
  "RadiusPort": 1812,
  "RadiusTimeout": 30,
  "RadiusRetries": 3,
  "SharedSecret": "radiusmfa",
  "AuthenticationProtocol": "PAP",
  "DisplayLabel": "RADIUS Multi-Factor Authentication",
  "UseSameUsername": true
}

02 Run enable-radius command (OSX/Linux/UNIX) using the name of the JSON configuration file created at the previous step (i.e. radius-mfa-config.json) as command parameter to enable Multi-Factor Authentication (MFA) for the specified Microsoft Entra Connector directory using a Remote Authentication Dial In User Service (RADIUS) server (the command does not produce an output): 

aws ds enable-radius
	--region us-east-1
	--directory-id d-12345abcde
	--radius-settings file://radius-mfa-config.json

03 Repeat step no. 1 and 2 to enable RADIUS-based Multi-Factor Authentication for other Microsoft Entra Connector directories available within the selected region.

04 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 3 to perform the remediation process for other regions.

References

Publication date Mar 1, 2019

Related WorkDocs rules