Multi-factor Authentication For All Non-privileged Users

Risk Level: Medium (should be achieved)

Rule ID: ActiveDirectory-002

Ensure that Multi-Factor Authentication (MFA) is enabled for non-privileged users such as developers, service readers or operators, in order to help safeguard the access to Microsoft Azure cloud data and applications. MFA reduces organizational risk and helps achieving regulatory compliance by providing an additional layer of security on top of the existing user credentials, using a second form of authentication to secure employee, customer and partner access. By default, Multi-Factor Authentication is disabled for all Microsoft Azure users.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

MFA represents a simple and efficient method of validating your Azure cloud user identity by requiring an authentication code generated by a virtual or hardware device, in addition to your usual access credentials, i.e. user name and password. With Azure Multi-Factor Authentication enabled, if an attacker manages to discover the user's password, the authentication information exposed is useless without having also access to the additional authentication method (in this case the MFA device).

Audit

To determine if MFA is enabled for non-privileged Azure users, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Microsoft Entra ID blade at https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview.

03 In the navigation panel, select Users.

04 Click on the Multi-Factor Authentication button available in the blade top menu.

05 From View dropdown list, select Sign-in allowed users to list all Azure users that are allowed to sign-in to the Management Console.

06 Choose the non-privileged user that you want to examine and check the MFA feature status available in the MULTI-FACTOR AUTH STATUS column. If the status is set to Disabled, Multi-Factor Authentication is not enabled, therefore the authentication process for the selected non-privileged Microsoft Azure user is not MFA-protected.

07 Repeat steps no. 6 for each user that you want to examine, available in your Azure account.

Using Azure CLI and PowerShell

01 Run ad user list command (Windows/macOS/Linux) with custom query filters to list all Microsoft Entra ID users available within your account:

az ad user list
  --query '[].{userPrincipalName:userPrincipalName}'
  --output table

02 The command output should return all your Microsoft Entra ID user names:

UserPrincipalName
------------------------------------------------
datadeveloper@cloudconformity.onmicrosoft.com
securitymanager@cloudconformity.onmicrosoft.com
identityoperator@cloudconformity.onmicrosoft.com

03 Run role assignment list command (Windows/macOS/Linux) using query filters to return the name of the access control role(s) assigned to the Microsoft Entra ID user that you want to examine:

az role assignment list
  --include-classic-administrators true
  --assignee datadeveloper@cloudconformity.onmicrosoft.com
  --query '[].{roleDefinitionName:roleDefinitionName}'

04 The command output should return an array that contains the name of the role assigned to the specified Microsoft Entra ID user. The role name indicates if the specified user is privileged or not. All user roles except Owner, *Contributor or *Administratorare considered non-privileged:

[
	{
		"roleDefinitionName": "Data Lake Analytics Developer"
	}
]

If the roleDefinitionName attribute value is set something different than Owner, *Contributor or *Administrator, such as *Developer – as shown in the output example above, the selected user does not have privileged access, therefore the Audit process continues with the next step. Otherwise, the user has privileged access and the rule audit ends here.

05 Open a Windows PowerShell command prompt and run Install-Module MSOnline command to install MSOnline PowerShell module for Microsoft Entra ID. Make sure that you run PowerShell as an administrator for this command:

Install-Module MSOnline

06 Run Connect-MsolService PowerShell command to connect to your Microsoft Entra ID Microsoft Entra ID environment. Once the command request is made you should be prompted for your Microsoft Entra ID credentials. To connect to a specific environment of Microsoft Entra ID, use -AzureEnvironment parameter, as shown in the example above (replace highlighted parameter value with your own Microsoft Entra ID information):

Connect-MsolService -AzureEnvironment "<ad-environment-name>"

07 Run Get-MsolUser PowerShell command with custom query filters to identify if the selected Microsoft Entra ID user has Multi-Factor Authentication (MFA) feature enabled:

Get-MsolUser -All | where {$_.StrongAuthenticationMethods.Count -eq 0} | Select-Object -Property datadeveloper@cloudconformity.onmicrosoft.com

08 The command output returns the name of the examined Azure user if MFA is disabled, otherwise, the command does not produce an output at all:

datadeveloper@cloudconformity.onmicrosoft.com
---------------------------------------------

If Get-MsolUser command output returns the name of the specified user, the Multi-Factor Authentication feature is not enabled, thus the authentication process for the selected non-privileged Microsoft Azure user is not MFA-protected.

09 Repeat steps no. 3 – 8 for each Microsoft Entra ID user that you want to examine.

Remediation / Resolution

To enable Multi-Factor Authentication (MFA) for your non-privileged Azure users, perform the following actions:

Note 1: By default, MFA is disabled for all Microsoft Azure users, therefore their MFA state is set to Disabled. Once you enable MFA for your Azure users, their state changes to Enabled. When enabled users sign in and complete the MFA registration process, their state changes to Enforced.
Note 2: As example, this conformity rule utilizes Microsoft Authenticator as MFA virtual device.

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Microsoft Entra ID blade at https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview.

03 In the navigation panel, select Users.

04 Click on the Multi-Factor Authentication button available in the blade top menu.

05 On the Multi-Factor Authentication management page, click service settings to access the MFA configuration settings.

06 On the service settings page, under verification options, select the method(s) that you want to use for Multi-Factor Authentication feature from Methods available to users section.

07 Click Save to apply the changes, then click Close to return to the settings page.

08 Click users and select Sign-in allowed users to list all users that are allowed to sign-in to the Azure Management Console.

09 Select the user that you want to enroll in MFA (see Audit section part I to identify the right Microsoft Entra ID user), then click Enable under quick steps, in the right menu.

10 Inside the confirmation box, click enable multi-factor auth to enable Multi-Factor Authentication for the selected Azure user. Click Close to return to the console.

11 Install Microsoft Authenticator application, then sign in to your Microsoft Azure account with the user configured for MFA earlier in the process. Once signed in, you will be redirected to the Additional security verification page and asked to complete the MFA registration process.

12 On the verification page, under Step 1: How should we contact you, select Mobile app and Use verification code option to specify how do you want to use the authenticator app. Click Set up to start the registration process.

13 Open the mobile application, choose Add account add and select Work or school account option.

14 Inside Configure mobile app box, scan the generated QR code image using the Microsoft Authenticator app. Once the application displays a six-digit code, click Next to continue the process.

15 Back on the Additional security verification page, click Next. Under Step 2: Enter the verification code from the mobile app, enter the verification code displayed on your Microsoft Authenticator app and click Verify.

16 For Step 3: In case you lose access to the mobile app, provide a phone number that will be used for verification in case you don’t have access to the MFA device anymore, then choose Next. Click Done to finish the MFA registration process. The MFA state for the user should be automatically switched to the Enforced once the registration process is complete.

17 Repeat steps no. 9 – 16 for each non-privileged user that you want to configure for MFA protection, available in your Azure account.

Using Azure CLI and PowerShell

01 Open a Windows PowerShell command prompt and run Install-Module MSOnline command to install MSOnline PowerShell module for Microsoft Entra ID. Make sure that you run PowerShell as an administrator for this command:

Install-Module MSOnline

02 Run Connect-MsolService PowerShell command to connect to your Microsoft Entra ID Microsoft Entra ID environment. Once the command request is made you should be prompted for your Microsoft Entra ID credentials. To connect to a specific environment of Microsoft Entra ID, use -AzureEnvironment parameter, as shown in the example above (replace highlighted parameter value with your own Microsoft Entra ID information):

Connect-MsolService -AzureEnvironment "<ad-environment-name>"

03 Define the Multi-Factor Authentication (MFA) configuration requirements that will be used later as value for the –StrongAuthenticationRequirements parameter in order to enable MFA using Set-MsolUser command:

$config = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$config.RelyingParty = "*"
$config.State = "Enabled"
$mfaconfig = @($config)

04 Run Set-MsolUser PowerShell command (using MSOnline module) using the name of the non-privileged user that you want to reconfigure as –UserPrincipalName parameter value (see Audit section part II to identify the right user) and the MFA feature requirements parameter defined at the previous step to update the selected user configuration in order to enable Multi-Factor Authentication (MFA):

Set-MsolUser
-UserPrincipalName datadeveloper@cloudconformity.onmicrosoft.com
-StrongAuthenticationRequirements $mfaconfig

05 Now that Multi-Factor Authentication is enabled for the selected Azure user, you have to start the MFA registration process. Install Microsoft Authenticator application and sign in to your Microsoft Azure account with the user configured for MFA at the previous step. Once signed in, you will be redirected to the Additional security verification page and asked to complete the registration process.

06 On the verification page, under Step 1: How should we contact you, select Mobile app and Use verification code option to specify how do you want to use the authenticator application. Click Set up to initiate the registration process.

07 Open the mobile app, choose Add account add and select Work or school account.

08 Inside Configure mobile app box, scan the generated QR code using the Microsoft Authenticator app. Once the application displays a six-digit code, click Next to continue.

09 Back on the Additional security verification page, click Next to continue the process. Under Step 2: Enter the verification code from the mobile app, enter the verification code displayed on your Microsoft Authenticator app and click Verify.

10 For Step 3: In case you lose access to the mobile app, provide a phone number that will be used for verification in case you don’t have access to the MFA device anymore, then choose Next. Click Done to finish the MFA registration process. The user MFA status should be automatically switched to Enforced once the registration process is complete.

11 Repeat steps no. 1 – 10 for each non-privileged Microsoft Azure user that you want to reconfigure in order to enable Multi-Factor Authentication.

References

Azure Command Line Interface (CLI) Documentation
az
az ad user list
az role assignment list

Publication date Aug 30, 2019

Audit

Using Azure Console

Using Azure CLI and PowerShell

Remediation / Resolution

Using Azure Console

Using Azure CLI and PowerShell

References

Related ActiveDirectory rules