โ˜๏ธ
Tminus365 Docs
  • ๐Ÿš€Welcome to Tminus365 Docs
  • ๐Ÿ”Security
    • Azure AD (Entra)
      • MFA Shall Be Required for All Users
      • MFA is enforced on accounts with Highly Privileged Roles
      • MFA is enforced for Azure Management
      • MFA registration and usage shall be periodically reviewed
      • Legacy Authentication shall be blocked
      • High Risk Users Shall Be Blocked
      • High Risk Sign-Ins Shall Be Blocked
      • Browser Sessions shall not be persistent for privileged users
      • MFA shall be required to enroll devices to Azure AD
      • Managed Devices shall be required for authentication
      • Guest User Access Shall be restricted
      • The number of users with highly privileged roles shall be limited
      • Users assigned highly privileged roles shall not have permanent permissions
      • Activation of privileged roles should be monitored and require approval
      • Highly privileged accounts shall be cloud-only
      • Highly privileged role assignments shall be periodically reviewed
      • Passwords shall not expire
      • Azure AD Logs shall be collected
      • Only Admins shall be allowed to register 3rd party applications
      • Non-admin users shall be prevented from providing consent to 3rd party applications
      • Authorized Applications shall be configured for Single Sign-On
      • Inactive accounts shall be blocked or deleted
    • Teams
      • Private Channels shall be utilized to restrict access to sensitive information
      • External Participants SHOULD NOT Be Enabled to Request Control of Shared Desktops or Windows in Meet
      • Anonymous Users SHALL NOT Be Enabled to Start Meetings
      • Automatic Admittance to Meetings SHOULD Be Restricted
      • External User Access SHALL Be Restricted
      • Unmanaged User Access SHALL Be Restricted
      • Contact with Skype Users SHALL Be Blocked
      • Teams Email Integration SHALL Be Disabled
      • Only Approved Apps SHOULD Be Installed
      • File Sharing and File Storage Options shall be blocked
      • Only the Meeting Organizer SHOULD Be Able to Record Live Events
      • Attachments SHOULD Be Scanned for Malware
      • Link Protection SHOULD Be Enabled
      • Restrict Users who can Create Teams Channels
      • Teams Channels shall have an expiration policy
      • Data Loss Prevention Solutions SHALL Be Enabled
    • Exchange
      • Automatic Forwarding to External Domains SHALL Be Disabled
      • Sender Policy Framework SHALL Be Enabled
      • DomainKeys Identified Mail SHOULD Be Enabled
      • Domain-Based Message Authentication, Reporting, and Conformance SHALL Be Enabled
      • Enable Email Encryption
      • Simple Mail Transfer Protocol Authentication SHALL Be Disabled
      • Calendar and Contact Sharing SHALL Be Restricted
      • External Sender Warnings SHALL Be Implemented
      • Data Loss Prevention Solutions SHALL Be Enabled
      • Emails SHALL Be Filtered by Attachment File Type
      • Zero-Hour Auto Purge for Malware SHOULD Be Enabled
      • Phishing Protections SHOULD Be Enabled
      • Inbound Anti-Spam Protections SHALL Be Enabled
      • Safe Link Policies SHOULD Be Enabled
      • Safe Attachments SHALL Be Enabled
      • IP Allow Lists SHOULD NOT be Implemented
      • Mailbox Auditing SHALL Be Enabled
      • Alerts SHALL Be Enabled
      • Audit Logging SHALL Be Enabled
      • Enhanced Filtering Shall be configured if a 3rd party email filtering tool is being used
    • SharePoint
      • File and Folder Links Default Sharing Settings SHALL Be Set to Specific People
      • External Sharing SHOULD be Set to โ€œNew and Existing Guestsโ€
      • Sensitive SharePoint Sites SHOULD Adjust Their Default Sharing Settings
      • Expiration Times for Guest Access to a Site SHOULD Be Determined by specific needs
      • Users SHALL Be Prevented from Running Custom Scripts
    • OneDrive
      • Anyone Links SHOULD Be Turned Off
      • Expiration Date SHOULD Be Set for Anyone Links
      • Link Permissions SHOULD Be Set to Enabled Anyone Links to View
      • Windows and MacOS devices should be prevented from syncing the OneDrive Client on personal devices
      • Legacy Authentication SHALL Be Blocked
    • Intune
      • Personal Devices should be restricted from enrolling into the MDM solution
      • Devices shall be deleted that havenโ€™t checked in for over 30 days
      • Devices compliance policies shall be configured for every supported device platform
      • Noncompliant devices shall be blocked from accessing corporate resources
      • MFA Shall be required for Intune Enrollment
      • Security Baselines should be configured for Windows Devices
      • Windows Update Rings shall be configured for Windows Devices
      • Update Policies shall be configured for Apple Devices
      • App Protection policies should be created for mobile devices
      • Mobile devices shall only be able to access corporate data through approved client apps
      • Lockout screen and password settings shall be configured for each device
      • Encryption shall be required on all devices
      • Windows Hello for Business should be configured where applicable
      • Authorized Applications should be deployed to managed devices
      • Device Use Shall be restricted until required applications are installed
      • Devices and Applications shall be wiped when a user leaves the organization or reports a lost/stolen
  • โš™๏ธConfigurations
    • GDAP
      • My Automations Break with GDAP: The Fix!
      • Vendor Integrations Break with GDAP: The Fix!
      • Adding GDAP Relationships
      • Leveraging PIM with GDAP
      • GDAP Migration with Microsoft 365 Lighthouse
    • GoDaddy
      • Defederating GoDaddy 365
  • ๐Ÿ›ก๏ธCIS Controls
    • CIS Mapped to M365
  • ๐Ÿ”ŒVendor Integrations
    • Pax8
      • Automating NCE subscription renewal notices
      • Leveraging the Pax8 API in Power Automate
    • IT Glue
      • Automating Intune Device Documentation in IT Glue
      • Automating Microsoft Documentation
    • Huntress
      • Leveraging the Huntress API in Power Automate
    • Syncro
      • Automating Microsoft 365 Documentation in Syncro
      • Custom Connector in Power Automate
      • Creating Tickets for Azure AD Risky Users
Powered by GitBook
On this page
  • Description
  • Policy
  • Licensing Considerations
  • Set Up Instructions
  • End-User Impact
  • PowerShell Scripts
  • Videos
  1. Security
  2. Azure AD (Entra)

MFA Shall Be Required for All Users

PreviousAzure AD (Entra)NextMFA is enforced on accounts with Highly Privileged Roles

Last updated 1 year ago

Description

MFA, or multi-factor authentication, is a security measure that requires users to provide multiple forms of identification to gain access to a system or network. By enforcing MFA within an organization, companies can better protect themselves against cyber threats, such as hacking and identity theft.

At a minimum, users with privileged roles such as Global Administrators should have MFA enforced. Where possible, phishing-resistant MFA should be required for all users. Phishing-resistant multifactor authentication protects against sophisticated phishing attacks. Phishing-resistant MFA may not always be immediately available, especially on mobile devices. Where phishing-resistant MFA is not yet available, organization should adopt an MFA method from the list below

Microsoft also encourages a break-glass account to ensure that you are not accidently locked out of your organization. These accounts are referred to as emergency access accounts and should be excluded from MFA enforcement.

MFA can be enforced with per user settings, Conditional Access Policies, or Security Defaults. Per user settings will be deprecated in January of 2024. Since February of 2022, Security Defaults are enabled on all new tenants which requires MFA for all users. Security defaults are NOT a hard requirement for non-partner tenants but are recommended. If you have a tenant licensed with conditional access, it is recommended that you enforce conditional access policies instead of security defaults.

Policy

  • MFA is enforced for all users

  • Phishing Resistant MFA is enforced for all users

  • If phishing Resistant MFA cannot be used, and MFA method from the list below shall be used temporarily

    • Microsoft Authenticator (Push Notifications)

    • Microsoft Authenticator (Passwordless-SignIn)

      • While using Microsoft Authenticator:

        • Number Matching shall be enabled

        • Geolocation shall be enabled

    • Software Tokens One-Time Password (OTP) โ€“ This option is commonly implemented using mobile phone authenticator apps.

    • Hardware tokens OTP

    • SMS and Voice shall not be used as the MFA method

    • One emergency, break-glass account shall be created and excluded from MFA enforcement

    • Accounts excluded from MFA shall be documented and include a justification reason

Licensing Considerations

Enforcing MFA through conditional access requires an Azure AD P1 license which can be purchased standalone or through the following common plans:

  • Microsoft 365 Business Premium

  • EMS + E3 or EMS + E5

  • Microsoft 365 E3

  • Microsoft 365 E5

  • OATH Hardware Tokens require Azure AD P1 or P2 Licensing

Enforcing MFA per user or through Security Defaults is available through all Microsoft Licensing Plans

Set Up Instructions

Phishing Resistant MFA:

1. In the Azure Portal navigate to Azure Active Directory.

2. Select Security.

3. Select Manage -> MFA.

4. Under Configure, select Additional cloud-based MFA settings.

5. Under verification options, select Notification through mobile app.

6. If desired, to enforce Microsoft Authenticator app usage and disable third party authenticator apps usage, make sure that Verification code from mobile app or hardware token is not selected.

7. Click Save.

8. Go back to the Azure Active Directory home tab and select Security.

9. Select Authentication Methods.

10. In the Policies window, select Microsoft Authenticator.

11. For Enable, select Yes.

12. For Target, select All users.

13. In the row for the All users, click the โ€ฆ -> Configure.

14. If configuring Phone Sign-in (aka Passwordless Sign-in), for Authentication mode, select Passwordless. If configuring Push Notifications, for Authentication mode, select Push. If configuring the usage of both, for Authentication mode, select Any.

a. For Require number matching, select Enabled.

b. For Show additional context in notifications, select Enabled.

15. Select Done.

16. Click Save

1. In the Azure Portal, navigate to Azure Active Directory.

2. Select Security.

3. Select Manage -> MFA.

4. Under Configure, select Additional cloud-based MFA settings.

5. Under verification options, select Verification code from mobile app or hardware token.

1. In the Azure Portal, navigate to Azure Active Directory.

2. Select Security.

3. Select Manage -> MFA.

4. Under Configure, select Additional cloud-based MFA settings.

5. Under verification options, make sure that Text message to phone and Call to phone are disabled.

End-User Impact

Level: High

Tips:

Create a group in Azure Active Directory used to place all accounts excluded from MFA. This would be your emergency break-glass account and service accounts such as the Azure AD Connect sync service account (if you are running a hybrid environment).

If you are not able to enforce phishing-resistant MFA across all users, at minimum try to enable it for accounts with privileged roles (Global Admins, User Admins, etc.)

PowerShell Scripts

Videos

Requiring All users to have MFA through conditional Access:

Security Defaults in Azure AD:

Legacy Per user MFA:

Migrating from Legacy Per User Settings:

FIDO2 Security Key:

Certificate Based Authentication:

Windows Hello for Business:

Password Less Sign In with Microsoft Authenticator:

Using Number matching:

Using Geolocation:

What Authentication methods are available in AAD:

6. If configuring Hardware Tokens OTP, follow the additional steps at when provisioning a user.

End-User impact is high due to the necessary configuration steps along and prompts to fulfill MFA request. The user experience will vary depending on which MFA methods you have set up. In my , I have end-user notifications available as part of the Security Baselines document.

Per User MFA:

Convert from per-user MFA to Conditional Access MFA:

MFA Status Reporting (Multi-tenant):

๐Ÿ”
Require MFA for all users with Conditional Access - Azure Active Directory - Microsoft Entra | Microsoft Learn
Providing a default level of security in Azure Active Directory - Microsoft Entra | Microsoft Learn
Enable per-user Multi-Factor Authentication - Azure Active Directory - Microsoft Entra | Microsoft Learn
How to migrate to the Authentication methods policy - Azure Active Directory (preview) - Microsoft Entra | Microsoft Learn
Passwordless security key sign-in - Azure Active Directory - Microsoft Entra | Microsoft Learn
How to configure Azure AD certificate-based authentication - Azure Active Directory - Microsoft Entra | Microsoft Learn
How to configure Azure AD certificate-based authentication - Azure Active Directory - Microsoft Entra | Microsoft Learn
Passwordless sign-in with Microsoft Authenticator - Azure Active Directory - Microsoft Entra | Microsoft Learn
Use number matching in multifactor authentication (MFA) notifications - Azure Active Directory - Microsoft Entra | Microsoft Learn
Use additional context in Microsoft Authenticator notifications - Azure Active Directory - Microsoft Entra | Microsoft Learn
Authentication methods and features - Azure Active Directory - Microsoft Entra | Microsoft Learn
this link
CIS section
Security/Enable MFA.ps1 at master ยท msp4msps/Security (github.com)
Move from per-user MFA to Conditional Access MFA - ALI TAJRAN
Security/MFA Status_Custom Control_All Customers.ps1 at master ยท msp4msps/Security (github.com)
Monitoring with PowerShell: Monitoring the used MFA type for O365/Azure. (cyberdrain.com)