[Deprecated]: Accounts with read permissions on Azure resources should be MFA enabled

Azure BuiltIn Policy definition

Alias

Namespace

ResourceType

Path

PathIsDefault

DefaultPath

Modifiable

Microsoft.Security/assessments/status.code

Microsoft.Security

assessments

properties.status.code

True

False

Control Domain

Control

Name

MetadataId

Category

Title

Owner

Requirements

Description

Info

Policy#

Azure_Security_Benchmark_v1.0

3.5

Azure_Security_Benchmark_v1.0_3.5

Azure Security Benchmark 3.5

Identity and Access Control

Use multi-factor authentication for all Microsoft Entra ID based access

Customer

Enable Microsoft Entra MFA and follow Azure Security Center Identity and Access Management recommendations. How to enable MFA in Azure: https://docs.microsoft.com/azure/active-directory/authentication/howto-mfa-getstarted How to monitor identity and access within Azure Security Center: https://docs.microsoft.com/azure/security-center/security-center-identity-access

n/a

link

Azure_Security_Benchmark_v2.0

IM-4

Azure_Security_Benchmark_v2.0_IM-4

Azure Security Benchmark IM-4

Identity Management

Use strong authentication controls for all Microsoft Entra ID based access

Customer

Microsoft Entra ID supports strong authentication controls through multi-factor authentication (MFA) and strong passwordless methods. - Multi-factor authentication: Enable Microsoft Entra MFA and follow Azure Security Center identity and access management recommendations for your MFA setup. MFA can be enforced on all users, select users, or at the per-user level based on sign-in conditions and risk factors. - Passwordless authentication: Three passwordless authentication options are available: Windows Hello for Business, Microsoft Authenticator app, and on-premises authentication methods such as smart cards. For administrator and privileged users, ensure the highest level of the strong authentication method is used, followed by rolling out the appropriate strong authentication policy to other users. If legacy password-based authentication is still used for Microsoft Entra ID authentication, please be aware that cloud-only accounts (user accounts created directly in Azure) have a default baseline password policy. And hybrid accounts (user accounts that come from on-premises Active Directory) follow the on-premises password policies. When using password-based authentication, Microsoft Entra ID provides a password protection capability that prevents users from setting passwords that are easy to guess. Microsoft provides a global list of banned passwords that is updated based on telemetry, and customers can augment the list based on their needs (e.g. branding, cultural references, etc.). This password protection can be used for cloud-only and hybrid accounts. Note: Authentication based on password credentials alone is susceptible to popular attack methods. For higher security, use strong authentication such as MFA and a strong password policy. For third-party applications and marketplace services that may have default passwords, you should change them during initial service setup. How to enable MFA in Azure: https://docs.microsoft.com/azure/active-directory/authentication/howto-mfa-getstarted Introduction to passwordless authentication options for Microsoft Entra ID: https://docs.microsoft.com/azure/active-directory/authentication/concept-authentication-passwordless Microsoft Entra ID default password policy: https://docs.microsoft.com/azure/active-directory/authentication/concept-sspr-policy#password-policies-that-only-apply-to-cloud-user-accounts Eliminate bad passwords using Microsoft Entra Password Protection: https://docs.microsoft.com/azure/active-directory/authentication/concept-password-ban-bad

n/a

link

NZ_ISM_v3.5

AC-3

NZ_ISM_v3.5_AC-3

NZISM Security Benchmark AC-3

Access Control and Passwords

16.1.35 Methods for system user identification and authentication

Customer

n/a

A personal identification number is typically short in length and employs a small character set, making it susceptible to brute force attacks.

link