Ensure that "Allow users to remember multi-factor authentication on devices they trust" feature is disabled within your Microsoft Azure account in order to make sure that your users are not allowed to bypass MFA. Multi-Factor Authentication is an efficient method of verifying your Azure user identity by requiring an authentication code generated by a virtual or hardware device in addition to your usual access credentials.
This rule resolution is part of the Conformity Security & Compliance tool for Azure.
Security Remembering Multi-Factor Authentication (MFA) for devices and browsers allows Microsoft Azure users to have the option to bypass MFA for a certain number of days after performing a successful sign-in using an MFA passcode. Remembering MFA can enhance usability by minimizing the number of times a user may need to perform two-step verification on the same device, however, if an account or device is compromised, remembering Multi-Factor Authentication for trusted devices and browsers can lead to security breaches. When "Allow users to remember multi-factor authentication on devices they trust" feature is disabled, for every login attempt, the users will be required to perform Multi-Factor Authentication.
Audit
To determine "Allow users to remember multi-factor authentication on devices they trust" feature status, perform the following actions:
Note: Retrieving configuration status for "Allow users to remember multi-factor authentication on devices they trust" feature using Microsoft Graph API or Azure CLI is not currently supported.Remediation / Resolution
To disable remembering Multi-Factor Authentication (MFA) for your Microsoft Entra ID users and deny trusted devices and browsers to bypass the two-step verification, perform the following actions:
Note: Managing configuration settings for "Allow users to remember multi-factor authentication on devices they trust" feature using Microsoft Graph API or Azure CLI is not currently supported.