compliance controls are associated with this Policy definition '[Deprecated]: Accounts with read permissions on Azure resources should be MFA enabled' (81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4)
Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
Azure_Security_Benchmark_v1.0 |
3.5 |
Azure_Security_Benchmark_v1.0_3.5 |
Azure Security Benchmark 3.5 |
Identity and Access Control |
Use multi-factor authentication for all Microsoft Entra ID based access |
Customer |
Enable Microsoft Entra MFA and follow Azure Security Center Identity and Access Management recommendations.
How to enable MFA in Azure:
https://docs.microsoft.com/azure/active-directory/authentication/howto-mfa-getstarted
How to monitor identity and access within Azure Security Center:
https://docs.microsoft.com/azure/security-center/security-center-identity-access |
n/a |
link |
3 |
Azure_Security_Benchmark_v2.0 |
IM-4 |
Azure_Security_Benchmark_v2.0_IM-4 |
Azure Security Benchmark IM-4 |
Identity Management |
Use strong authentication controls for all Microsoft Entra ID based access |
Customer |
Microsoft Entra ID supports strong authentication controls through multi-factor authentication (MFA) and strong passwordless methods.
- Multi-factor authentication: Enable Microsoft Entra MFA and follow Azure Security Center identity and access management recommendations for your MFA setup. MFA can be enforced on all users, select users, or at the per-user level based on sign-in conditions and risk factors.
- Passwordless authentication: Three passwordless authentication options are available: Windows Hello for Business, Microsoft Authenticator app, and on-premises authentication methods such as smart cards.
For administrator and privileged users, ensure the highest level of the strong authentication method is used, followed by rolling out the appropriate strong authentication policy to other users.
If legacy password-based authentication is still used for Microsoft Entra ID authentication, please be aware that cloud-only accounts (user accounts created directly in Azure) have a default baseline password policy. And hybrid accounts (user accounts that come from on-premises Active Directory) follow the on-premises password policies. When using password-based authentication, Microsoft Entra ID provides a password protection capability that prevents users from setting passwords that are easy to guess. Microsoft provides a global list of banned passwords that is updated based on telemetry, and customers can augment the list based on their needs (e.g. branding, cultural references, etc.). This password protection can be used for cloud-only and hybrid accounts.
Note: Authentication based on password credentials alone is susceptible to popular attack methods. For higher security, use strong authentication such as MFA and a strong password policy. For third-party applications and marketplace services that may have default passwords, you should change them during initial service setup.
How to enable MFA in Azure: https://docs.microsoft.com/azure/active-directory/authentication/howto-mfa-getstarted
Introduction to passwordless authentication options for Microsoft Entra ID: https://docs.microsoft.com/azure/active-directory/authentication/concept-authentication-passwordless
Microsoft Entra ID default password policy: https://docs.microsoft.com/azure/active-directory/authentication/concept-sspr-policy#password-policies-that-only-apply-to-cloud-user-accounts
Eliminate bad passwords using Microsoft Entra Password Protection: https://docs.microsoft.com/azure/active-directory/authentication/concept-password-ban-bad |
n/a |
link |
3 |
NZ_ISM_v3.5 |
AC-3 |
NZ_ISM_v3.5_AC-3 |
NZISM Security Benchmark AC-3 |
Access Control and Passwords |
16.1.35 Methods for system user identification and authentication |
Customer |
n/a |
A personal identification number is typically short in length and employs a small character set, making it susceptible to brute force attacks. |
link |
1 |
NZISM_Security_Benchmark_v1.1 |
AC-3 |
NZISM_Security_Benchmark_v1.1_AC-3 |
NZISM Security Benchmark AC-3 |
Access Control and Passwords |
16.1.35 Methods for system user identification and authentication |
Customer |
Agencies SHOULD ensure that they combine the use of multiple methods when identifying and authenticating system users. |
A personal identification number is typically short in length and employs a small character set, making it susceptible to brute force attacks. |
link |
1 |