Skip to main content

lacework-global-597

1.1.3 Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users (Manual)

Profile Applicability

• Level 2

Description

Enable multi-factor authentication for all non-privileged users.

Rationale

Multi-factor authentication requires an individual to present a minimum of two separate forms of authentication before access is granted. Multi-factor authentication provides additional assurance that the individual attempting to gain access is who they claim to be. With multi-factor authentication, an attacker would need to compromise at least two different authentication mechanisms, increasing the difficulty of compromise and thus reducing the risk.

Impact

Users would require two forms of authentication before any access is granted. Also, this requires an overhead for managing dual forms of authentication.

Audit

From Azure Portal

  1. From Azure Home select the Portal Menu
  2. Select the Azure Active Directory blade
  3. Then Users
  4. Select All Users
  5. Click on Per-User MFA button on the top bar
  6. Ensure that for all users MULTI-FACTOR AUTH STATUS is Enabled

From Azure REST API

For Every Subscription, For Every Tenant

Step 1: Identify Users with non-administrative Access

  1. List All Users Using Microsoft Graph API:
GET https://graph.microsoft.com/v1.0/users

Capture id and corresponding userPrincipalName ($uid, $userPrincipalName)

  1. List all Role Definitions Using Azure management API:
https://management.azure.com/subscriptions/<subscriptionId>/providers/Microsoft.Authorization/roleDefinitions?api-version=2017-05-01

Capture Role Definition IDs/Name ($name) and role names ($properties/roleName) where "properties/roleName" does NOT contain (Owner or *contributor or admin )

  1. List All Role Assignments (Mappings $A.uid to $B.name) Using Azure Management API:
GET https://management.azure.com/subscriptions/<subscriptionId>/providers/Microsoft.Authorization/roleassignments?api-version=2017-10-01-preview

Find all non-administrative roles ($B.name) in "Properties/roleDefinationId" mapped with user ids ($A.id) in "Properties/principalId" where "Properties/principalType" == "User"

D> Now Match ($CProperties/principalId) with $A.uid and get $A.userPrincipalName save this as D.userPrincipleName

Step 2: Run MSOL Powershell command:

Get-MsolUser -All | where {$_.StrongAuthenticationMethods.Count -eq 0} | Select-Object -Property UserPrincipalName

If the output contains any of the $D.userPrincipleName, then this recommendation is non-compliant.

Please note that at this point of time, there is no API/CLI mechanism available to programmatically conduct security assessment for this recommendation. The only option is MSOL.

Remediation

Follow Microsoft Azure documentation and enable multi-factor authentication in your environment.

https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-azure-mfa

Enabling and configuring MFA is a multi-step process. Here are some additional resources on the process within Azure AD:

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-admin-mfa

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-getstarted#enable-multi-factor-authentication-with-conditional-access

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings

References

https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-identity-management#im-4-use-strong-authentication-controls-for-all-azure-active-directory-based-access