Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Multi-factor Authentication For All Privileged Users

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: ActiveDirectory-001

Ensure that Multi-Factor Authentication is enabled for all user credentials that have write access to the cloud resources within your Microsoft Azure account. Multi-Factor Authentication (MFA) is a simple, yet efficient method of verifying your Azure user identity by requiring an authentication code generated by a virtual or hardware device, also known as passcode, used in addition to your usual access credentials such as user name and password.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

Having an MFA-protected Azure account represents an efficient way to safeguard your cloud resources against malicious users and attackers, as Multi-Factor Authentication adds extra security to the authentication process by requiring privileged users (contributors, subscription owners and service co-administrators) to present a minimum of two separate forms of authorization before their access is granted. With Multi-Factor Authentication (MFA) enabled, an attacker would need to compromise at least two different authentication mechanisms, increasing the difficulty of compromising access credentials and thus reducing the risk of attack significantly.

Audit

To determine if MFA is enabled for all Microsoft Azure privileged users, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Microsoft Entra ID blade at https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview.

03 In the navigation panel, select Users.

04 Click on the Multi-Factor Authentication button available in the blade top menu. This will open Azure MFA management portal.

05 From View dropdown list, select the privileged user category that you want to examine. The privileged users can be owners, co-administrators or contributors.

06 Choose the user that you want to examine and check the feature status available in the MULTI-FACTOR AUTH STATUS column. If the status is Disabled, the MFA feature is not enabled, therefore the authentication process for the selected privileged Microsoft Azure user is not MFA-protected.

07 Repeat steps no. 6 for each user that you want to examine available in the current user category.

08 Repeat step no. 5 – 7 for each privileged user category within the Microsoft Entra ID.

Using Azure CLI and PowerShell

01 Run ad user list command (Windows/macOS/Linux) using query filters to list all Microsoft Entra ID users: 

az ad user list
  --query '[].{userPrincipalName:userPrincipalName}'
  --output table

02 The command output should return a table that contains all your Microsoft Entra ID user names: 

UserPrincipalName
-----------------------------------------------
azuremanager@cloudconformity.onmicrosoft.com
azadministrator@cloudconformity.onmicrosoft.com

03 Run role assignment list command (Windows/macOS/Linux) with custom query filters to return the name of the access control role(s) assigned to the Microsoft Entra ID user that you want to examine: 

az role assignment list
  --include-classic-administrators true
  --assignee azuremanager@cloudconformity.onmicrosoft.com
  --query '[].{roleDefinitionName:roleDefinitionName}'

04 The command output should return an array that contains the name of the role assigned to the specified Microsoft Entra ID user. The role name indicates if the examined user is privileged (i.e. has write access to Azure resources) or not. The name of the privileged user role must be Owner, *Contributor or *Administrator:
If the roleDefinitionName attribute value is set to Owner, *Contributor or *Administrator, as shown in the output example above, the selected user has privileged access, thus the Audit process continues with the next step. Otherwise, the user is not privileged and the conformity rule audit ends here.

05 Open an elevated Windows PowerShell command prompt (i.e. run PowerShell as an administrator) and run Install-Module MSOnline command to install MSOnline PowerShell module for Microsoft Entra ID:

06 Run Connect-MsolService PowerShell command to connect to your Microsoft Entra ID environment. Once the command request is made you should be prompted for your Microsoft Entra ID credentials. To connect to a specific environment of Microsoft Entra ID, use -AzureEnvironment parameter, as shown in the example above (replace highlighted placeholder with your own Microsoft Entra ID environment name):

07 Run Get-MsolUser PowerShell command (using MSOnline module) with custom query filters to identify if the selected Azure Microsoft Entra ID user has registered for Multi-Factor Authentication (MFA):

08 The command output returns the verified Microsoft Entra ID user name if MFA is disabled, otherwise the command does not produce an output at all:
If Get-MsolUser command output returns the name of the examined user, the MFA feature is not enabled, therefore the authentication process for the selected privileged Microsoft Azure user is not MFA-protected.

09 Repeat steps no. 3 – 8 for each Microsoft Entra ID user that you want to examine.

Remediation / Resolution

To enable Multi-Factor Authentication (MFA) for your Azure cloud privileged users, perform the following actions:

Note 1: By default, MFA is disabled for all Microsoft Azure users, therefore their MFA state is set to Disabled. Once you enroll your users within MFA, their state changes to Enabled. When enabled users sign in and complete the MFA registration process, their state changes to Enforced.
Note 2: As an example, this conformity rule will use Microsoft Authenticator as MFA device as this is one of the most popular MFA virtual devices used by Azure cloud customers.

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Microsoft Entra ID blade at https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview.

03 In the navigation panel, select Users.

04 Click on the Multi-Factor Authentication button available in the blade top menu.

05 On the Multi-Factor Authentication management page, click service settings to access the MFA configuration settings.

06 On the service settings page, under verification options, select the method(s) that you want to use for Multi-Factor Authentication from Methods available to users.

07 Click Save to apply the changes, then click Close to return to the settings page.

08 Click users and select the appropriate privileged user category from the View dropdown list. The privileged users can be owners, co-administrators or contributors.

09 Select the user that you want to enroll in MFA (see Audit section part I to identify the right user) and click Enable under quick steps, in the right menu.

10 On the action confirmation box, click enable multi-factor auth to enable Multi-Factor Authentication for the selected Microsoft Azure user. Click Close to return to the console.

11 Install Microsoft Authenticator application, then sign in to your Microsoft Azure account with the user configured for MFA at the previous steps. Once signed in, you will be redirected to the Additional security verification page and asked to complete the MFA registration process.

12 On the verification page, under Step 1: How should we contact you, select Mobile app and Use verification code option to specify how do you want to use the Microsoft Authenticator app. Click Set up to initiate the registration process.

13 Open the mobile app, choose Add account add and select Work or school account.

14 Inside Configure mobile app box, scan the generated QR code using the Microsoft Authenticator app. Once the application displays a six-digit code, click Next.

15 Back on the Additional security verification page, click Next to continue the process. Under Step 2: Enter the verification code from the mobile app, enter the verification code displayed on your Microsoft Authenticator app and click Verify.

16 For Step 3: In case you lose access to the mobile app, provide a phone number that will be used for adding phone verification to your user password, then choose Next. Click Done to finish the MFA registration process. The MFA state for the user should be automatically switched to Enforced once the registration process is completed.

17 Repeat steps no. 9 – 16 for each privileged user that you want to reconfigure for MFA, available in the current user category.

18 Repeat step no. 9 – 17 for each privileged user category within your Microsoft Entra ID.

Using Azure CLI and PowerShell

01 Open an elevated Windows PowerShell command prompt (i.e. run PowerShell as an administrator) and run Install-Module MSOnline command to install MSOnline PowerShell module for Microsoft Entra ID: 

Install-Module MSOnline

02 Run Connect-MsolService PowerShell command to connect to your Microsoft Entra ID environment. Once the command request is made you should be prompted for your Microsoft Entra ID credentials. To connect to a specific environment of Microsoft Entra ID, use -AzureEnvironment parameter, as shown in the example above (replace highlighted details with your own Microsoft Entra ID details): 

Connect-MsolService -AzureEnvironment "<ad-environment-name>"

03 Define an array of strong authentication (i.e. MFA) requirements, that will be used later as value for the –StrongAuthenticationRequirements parameter in order to activate MFA using the Set-MsolUser command: 

$mfa = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$mfa.RelyingParty = "*"
$mfa.State = "Enabled"
$setmfa = @($mfa)

04 Run Set-MsolUser PowerShell command (using MSOnline module) using the name of the user that you want to reconfigure as –UserPrincipalName parameter value (see Audit section part II to identify the right user) and the strong authentication requirements parameter defined at the previous step to update the selected user configuration in order to enable Multi-Factor Authentication (MFA): 

Set-MsolUser
-UserPrincipalName azuremanager@cloudconformity.onmicrosoft.com
-StrongAuthenticationRequirements $setmfa

05 Now that the feature is enabled for the selected Azure user, you have to start the Multi-Factor Authentication (MFA) registration process. Install Microsoft Authenticator application then sign in to your Microsoft Azure account with the user configured for MFA at the previous step. Once signed in, you will be redirected to the Additional security verification page and prompted to complete the registration process.

06 On the verification page, under Step 1: How should we contact you, select Mobile app and Use verification code option to specify how do you want to use the Microsoft Authenticator app. Click Set up to initiate the registration process.

07 Open the mobile app, choose Add account add and select Work or school account.

08 Inside Configure mobile app box, scan the generated QR code using the Microsoft Authenticator app. Once the application displays a six-digit code, click Next.

09 Back on the Additional security verification page, click Next to continue the process. Under Step 2: Enter the verification code from the mobile app, enter the verification code displayed on your Microsoft Authenticator app and click Verify.

10 For Step 3: In case you lose access to the mobile app, provide a phone number that will be used for adding phone verification to your user password, then choose Next. Click Done to finish the MFA registration process. The user MFA status should be automatically switched to the Enforced once the registration process is completed.

11 Repeat steps no. 1 – 10 for each privileged Microsoft Azure user that you want to reconfigure in order to enable Multi-Factor Authentication (MFA).

References

Publication date Aug 30, 2019

Related ActiveDirectory rules