Skip to main content

lacework-global-511

1.22 Ensure that 'Require Multi-Factor Authentication to register or join devices with Azure AD' is set to 'Yes' (Manual)

Profile Applicability

• Level 1

Description

Joining or registering devices to the active directory should require Multi-factor authentication.

Rationale

Multi-factor authentication is recommended when adding devices to Azure AD. When set to Yes, users who are adding devices from the internet must first use the second method of authentication before their device is successfully added to the directory. This ensures that rogue devices are not added to the domain using a compromised user account. Note: Some Microsoft documentation suggests to use conditional access policies for joining a domain from certain whitelisted networks or devices. Even with these in place, using Multi-Factor Authentication is still recommended, as it creates a process for review before joining the domain.

Impact

A slight impact of additional overhead, as Administrators will now have to approve every access to the domain.

Audit

From Azure Portal

  1. From Azure Home select the Portal Menu
  2. Select Azure Active Directory
  3. Then Devices
  4. Select Device settings
  5. Ensure that Require Multi-Factor Authentication to register or join devices with Azure AD is set to Yes

Please note that at this point of time, there is no API/CLI mechanism available to programmatically conduct security assessment for this recommendation.

Remediation

From Azure Portal

  1. From Azure Home select the Portal Menu
  2. Select Azure Active Directory
  3. Then Devices
  4. Select Device settings, then set Require Multi-Factor Authentication to register or join devices with Azure AD to Yes

Please note that at this point of time, there is no Azure CLI or other API commands available to programmatically conduct security configuration for this recommendation.

References

https://blogs.technet.microsoft.com/janketil/2016/02/29/azure-mfa-for-enrollment-in-intune-and-azure-ad-device-registration-explained/
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-identity-management#im-4-use-strong-authentication-controls-for-all-azure-active-directory-based-access