Enable Multi-Factor Authentication for Privileged Users

Risk Level: High (not acceptable risk)

Rule ID: ActiveDirectory-001

Ensure that Multi-Factor Authentication is enabled for all user credentials that have write access to the cloud resources within your Microsoft Azure account. Multi-Factor Authentication (MFA) is a simple, yet efﬁcient method of verifying your Azure user identity by requiring an authentication code generated by a virtual or hardware device, also known as passcode, used in addition to your usual access credentials such as user name and password.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

Having an MFA-protected Azure account represents an efficient way to safeguard your cloud resources against malicious users and attackers, as Multi-Factor Authentication adds extra security to the authentication process by requiring privileged users (contributors, subscription owners and service co-administrators) to present a minimum of two separate forms of authorization before their access is granted. With Multi-Factor Authentication (MFA) enabled, an attacker would need to compromise at least two different authentication mechanisms, increasing the difficulty of compromising access credentials and thus reducing the risk of attack significantly.

Audit

To determine if MFA is enabled for all Microsoft Azure privileged users, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Microsoft Entra ID blade at https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview.

03 In the navigation panel, select Users.

04 Click on the Multi-Factor Authentication button available in the blade top menu. This will open Azure MFA management portal.

05 From View dropdown list, select the privileged user category that you want to examine. The privileged users can be owners, co-administrators or contributors.

06 Choose the user that you want to examine and check the feature status available in the MULTI-FACTOR AUTH STATUS column. If the status is Disabled, the MFA feature is not enabled, therefore the authentication process for the selected privileged Microsoft Azure user is not MFA-protected.

07 Repeat steps no. 6 for each user that you want to examine available in the current user category.

08 Repeat step no. 5 – 7 for each privileged user category within the Microsoft Entra ID.

Using Azure CLI

01 Run ad user list command (Windows/macOS/Linux) using query filters to list all Microsoft Entra ID users:

az ad user list \
	--query '[].{userPrincipalName:userPrincipalName}' \
	--output table

02 The command output should return a table that contains all your Microsoft Entra ID user names:

UserPrincipalName
-----------------------------------------------
azuremanager@cloudconformity.onmicrosoft.com
azadministrator@cloudconformity.onmicrosoft.com

03 Run role assignment list command (Windows/macOS/Linux) with custom query filters to return the name of the access control role(s) assigned to the Microsoft Entra ID user that you want to examine:

az role assignment list \
	--all \
	--assignee azuremanager@cloudconformity.onmicrosoft.com \
	--query '[].{roleDefinitionName:roleDefinitionName}'

04 The command output should return an array that contains the name of the role assigned to the specified Microsoft Entra ID user. The role name indicates if the examined user is privileged (i.e. has write access to Azure resources) or not. The name of the privileged user role must be Owner, *Contributor or *Administrator:

[
	{
		"roleDefinitionName": "Owner"
	}
]

If the roleDefinitionName attribute value is set to Owner, *Contributor or *Administrator, as shown in the output example above, the selected user has privileged access, thus the Audit process continues with the next step. Otherwise, the user is not privileged and the conformity rule audit ends here.

05 Run az ad user show command to get the user's object ID:

az ad user show \
	--id azuremanager@cloudconformity.onmicrosoft.com \
	--query id -o tsv

06 The command output returns the user's object ID:

abcd1234-5678-90ab-cdef-1234567890ab

07 Run az rest command to check the per-user MFA state using the Microsoft Graph API:

az rest --method GET \
	--uri 'https://graph.microsoft.com/beta/users/abcd1234-5678-90ab-cdef-1234567890ab/authentication/requirements' \
	--query perUserMfaState

Note: Checking per-user MFA state requires elevated administrative privileges. Your account must have one of the following roles: Global Administrator, Privileged Authentication Administrator, or Security Administrator.

08 The command output returns the per-user MFA state:

"disabled"

If the output is "disabled" or null, Multi-Factor Authentication is not enabled for the privileged user. If the output is "enabled" or "enforced", MFA is configured for the user.

09 Repeat steps no. 3 – 8 for each Microsoft Entra ID user that you want to examine.

Remediation / Resolution

To enable Multi-Factor Authentication (MFA) for your Azure cloud privileged users, perform the following actions:

Note 1: By default, MFA is disabled for all Microsoft Azure users, therefore their MFA state is set to Disabled. Once you enroll your users within MFA, their state changes to Enabled. When enabled users sign in and complete the MFA registration process, their state changes to Enforced.
Note 2: As an example, this conformity rule will use Microsoft Authenticator as MFA device as this is one of the most popular MFA virtual devices used by Azure cloud customers.

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Microsoft Entra ID blade at https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview.

03 In the navigation panel, select Users.

04 Click on the Multi-Factor Authentication button available in the blade top menu.

05 On the Multi-Factor Authentication management page, click service settings to access the MFA configuration settings.

06 On the service settings page, under verification options, select the method(s) that you want to use for Multi-Factor Authentication from Methods available to users.

07 Click Save to apply the changes, then click Close to return to the settings page.

08 Click users and select the appropriate privileged user category from the View dropdown list. The privileged users can be owners, co-administrators or contributors.

09 Select the user that you want to enroll in MFA (see Audit section part I to identify the right user) and click Enable under quick steps, in the right menu.

10 On the action confirmation box, click enable multi-factor auth to enable Multi-Factor Authentication for the selected Microsoft Azure user. Click Close to return to the console.

11 Install Microsoft Authenticator application, then sign in to your Microsoft Azure account with the user configured for MFA at the previous steps. Once signed in, you will be redirected to the Additional security verification page and asked to complete the MFA registration process.

12 On the verification page, under Step 1: How should we contact you, select Mobile app and Use verification code option to specify how do you want to use the Microsoft Authenticator app. Click Set up to initiate the registration process.

13 Open the mobile app, choose Add account add and select Work or school account.

14 Inside Configure mobile app box, scan the generated QR code using the Microsoft Authenticator app. Once the application displays a six-digit code, click Next.

15 Back on the Additional security verification page, click Next to continue the process. Under Step 2: Enter the verification code from the mobile app, enter the verification code displayed on your Microsoft Authenticator app and click Verify.

16 For Step 3: In case you lose access to the mobile app, provide a phone number that will be used for adding phone verification to your user password, then choose Next. Click Done to finish the MFA registration process. The MFA state for the user should be automatically switched to Enforced once the registration process is completed.

17 Repeat steps no. 9 – 16 for each privileged user that you want to reconfigure for MFA, available in the current user category.

18 Repeat step no. 9 – 17 for each privileged user category within your Microsoft Entra ID.

Using Azure CLI

01 Get the object ID for the privileged user you want to enable MFA for (see Audit section to identify the right user):

az ad user show \
	--id azuremanager@cloudconformity.onmicrosoft.com \
	--query id -o tsv

02 The command output returns the user's object ID:

abcd1234-5678-90ab-cdef-1234567890ab

03 Enable per-user MFA using the az rest command to call the Microsoft Graph API:

az rest --method PATCH \
	--uri 'https://graph.microsoft.com/beta/users/abcd1234-5678-90ab-cdef-1234567890ab/authentication/requirements' \
	--body '{"perUserMfaState":"enabled"}'

Note: This command requires elevated administrative privileges. Your account must have one of the following roles: Global Administrator, Privileged Authentication Administrator, or Security Administrator.

04 If successful, the command returns no output (HTTP 204 No Content).

05 Verify the MFA state was updated:

az rest --method GET \
	--uri 'https://graph.microsoft.com/beta/users/abcd1234-5678-90ab-cdef-1234567890ab/authentication/requirements' \
	--query perUserMfaState

06 The command output should return:

"enabled"

07 The next time the user signs in, they will be prompted to set up MFA by registering an authentication method such as the Microsoft Authenticator app, phone number, or email.

08 Repeat steps no. 1 – 7 for each privileged Microsoft Azure user that you want to configure for Multi-Factor Authentication.

References

Microsoft Graph API Documentation
Get authentication method states
Update authentication method states
strongAuthenticationRequirements resource type

Azure Command Line Interface (CLI) Documentation
az
az ad user list
az role assignment list
az rest

Publication date Aug 30, 2019

Audit

Using Azure Console

Using Azure CLI

Remediation / Resolution

Using Azure Console

Using Azure CLI

References

Related ActiveDirectory rules