AzPolicyAdvertizer

last sync: 2025-Aug-12 17:23:12 UTC

[Deprecated]: Accounts with read permissions on Azure resources should be MFA enabled

Azure BuiltIn Policy definition

Source Azure Portal
Display name [Deprecated]: Accounts with read permissions on Azure resources should be MFA enabled
Id 81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4
Version 1.1.0-deprecated
Details on versioning
Versioning Versions supported for Versioning: 2
1.1.0 (1.1.0-deprecated)
1.0.0
Built-in Versioning [Preview]
Category Security Center
Microsoft Learn
Description This policy definition is deprecated. Learn more about policy definition deprecation at aka.ms/policydefdeprecation
Cloud environments AzureCloud = true
AzureUSGovernment = true
AzureChinaCloud = unknown
Available in AzUSGov The Policy is available in AzureUSGovernment cloud. Version: '1.1.0-deprecated'
Repository: Azure-Policy 81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4
Mode All
Type BuiltIn
Preview False
Deprecated True
Effect Default
Disabled
Allowed
AuditIfNotExists, Disabled
RBAC role(s) none
Rule aliases THEN-ExistenceCondition (1)
Alias Namespace ResourceType Path PathIsDefault DefaultPath Modifiable
Microsoft.Security/assessments/status.code Microsoft.Security assessments properties.status.code True False
Rule resource types IF (1)
Compliance
The following 4 compliance controls are associated with this Policy definition '[Deprecated]: Accounts with read permissions on Azure resources should be MFA enabled' (81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4)
Rows: 1-4 / 4

Columns:

Close

Columns▼Records:
Use the filters above each column to filter and limit table data. Advanced searches can be performed by using the following operators:
<, <=, >, >=, =, *, !, {, }, ||,&&, [empty], [nonempty], rgx:
Learn more

TableFilter v0.7.3

https://www.tablefilter.com/
©2015-2025 Max Guglielmi
?
Page of 1
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
Azure_Security_Benchmark_v1.0 3.5 Azure_Security_Benchmark_v1.0_3.5 Azure Security Benchmark 3.5 Identity and Access Control Use multi-factor authentication for all Microsoft Entra ID based access Customer Enable Microsoft Entra MFA and follow Azure Security Center Identity and Access Management recommendations. How to enable MFA in Azure: https://docs.microsoft.com/azure/active-directory/authentication/howto-mfa-getstarted How to monitor identity and access within Azure Security Center: https://docs.microsoft.com/azure/security-center/security-center-identity-access n/a link 3
Azure_Security_Benchmark_v2.0 IM-4 Azure_Security_Benchmark_v2.0_IM-4 Azure Security Benchmark IM-4 Identity Management Use strong authentication controls for all Microsoft Entra ID based access Customer Microsoft Entra ID supports strong authentication controls through multi-factor authentication (MFA) and strong passwordless methods. - Multi-factor authentication: Enable Microsoft Entra MFA and follow Azure Security Center identity and access management recommendations for your MFA setup. MFA can be enforced on all users, select users, or at the per-user level based on sign-in conditions and risk factors. - Passwordless authentication: Three passwordless authentication options are available: Windows Hello for Business, Microsoft Authenticator app, and on-premises authentication methods such as smart cards. For administrator and privileged users, ensure the highest level of the strong authentication method is used, followed by rolling out the appropriate strong authentication policy to other users. If legacy password-based authentication is still used for Microsoft Entra ID authentication, please be aware that cloud-only accounts (user accounts created directly in Azure) have a default baseline password policy. And hybrid accounts (user accounts that come from on-premises Active Directory) follow the on-premises password policies. When using password-based authentication, Microsoft Entra ID provides a password protection capability that prevents users from setting passwords that are easy to guess. Microsoft provides a global list of banned passwords that is updated based on telemetry, and customers can augment the list based on their needs (e.g. branding, cultural references, etc.). This password protection can be used for cloud-only and hybrid accounts. Note: Authentication based on password credentials alone is susceptible to popular attack methods. For higher security, use strong authentication such as MFA and a strong password policy. For third-party applications and marketplace services that may have default passwords, you should change them during initial service setup. How to enable MFA in Azure: https://docs.microsoft.com/azure/active-directory/authentication/howto-mfa-getstarted Introduction to passwordless authentication options for Microsoft Entra ID: https://docs.microsoft.com/azure/active-directory/authentication/concept-authentication-passwordless Microsoft Entra ID default password policy: https://docs.microsoft.com/azure/active-directory/authentication/concept-sspr-policy#password-policies-that-only-apply-to-cloud-user-accounts Eliminate bad passwords using Microsoft Entra Password Protection: https://docs.microsoft.com/azure/active-directory/authentication/concept-password-ban-bad n/a link 3
NZ_ISM_v3.5 AC-3 NZ_ISM_v3.5_AC-3 NZISM Security Benchmark AC-3 Access Control and Passwords 16.1.35 Methods for system user identification and authentication Customer n/a A personal identification number is typically short in length and employs a small character set, making it susceptible to brute force attacks. link 1
NZISM_Security_Benchmark_v1.1 AC-3 NZISM_Security_Benchmark_v1.1_AC-3 NZISM Security Benchmark AC-3 Access Control and Passwords 16.1.35 Methods for system user identification and authentication Customer Agencies SHOULD ensure that they combine the use of multiple methods when identifying and authenticating system users. A personal identification number is typically short in length and employs a small character set, making it susceptible to brute force attacks. link 1
Initiatives usage
Rows: 1-5 / 5
Records:
Use the filters above each column to filter and limit table data. Advanced searches can be performed by using the following operators:
<, <=, >, >=, =, *, !, {, }, ||,&&, [empty], [nonempty], rgx:
Learn more

TableFilter v0.7.3

https://www.tablefilter.com/
©2015-2025 Max Guglielmi
?
Page of 1
Initiative DisplayName Initiative Id Initiative Category State Type polSet in AzUSGov
[Deprecated]: Azure Security Benchmark v1 42a694ed-f65e-42b2-aa9e-8052e9740a92 Regulatory Compliance Deprecated BuiltIn true
[Deprecated]: Azure Security Benchmark v2 bb522ac1-bc39-4957-b194-429bcd3bcb0b Regulatory Compliance Deprecated BuiltIn true
[Deprecated]: DoD Impact Level 4 8d792a84-723c-4d92-a3c3-e4ed16a2d133 Regulatory Compliance Deprecated BuiltIn true
[Deprecated]: New Zealand ISM Restricted d1a462af-7e6d-4901-98ac-61570b4ed22a Regulatory Compliance Deprecated BuiltIn unknown
[Deprecated]: New Zealand ISM Restricted v3.5 93d2179e-3068-c82f-2428-d614ae836a04 Regulatory Compliance Deprecated BuiltIn unknown
History
Date/Time (UTC ymd) (i) Change type Change detail
2025-01-21 19:02:36 change Minor, new suffix: deprecated (1.0.0 > 1.1.0-deprecated)
2022-08-09 17:24:03 add 81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4
JSON compare
compare mode: version left: version right:
1.0.0 → 1.1.0-deprecated RENAMED
@@ -1,12 +1,13 @@
1
  {
2
- "displayName": "Accounts with read permissions on Azure resources should be MFA enabled",
3
  "policyType": "BuiltIn",
4
  "mode": "All",
5
- "description": "Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources.",
6
  "metadata": {
7
- "version": "1.0.0",
8
- "category": "Security Center"
 
9
  },
10
  "parameters": {
11
  "effect": {
12
  "type": "String",
@@ -17,9 +18,9 @@
17
  "allowedValues": [
18
  "AuditIfNotExists",
19
  "Disabled"
20
  ],
21
- "defaultValue": "AuditIfNotExists"
22
  }
23
  },
24
  "policyRule": {
25
  "if": {
 
1
  {
2
+ "displayName": "[Deprecated]: Accounts with read permissions on Azure resources should be MFA enabled",
3
  "policyType": "BuiltIn",
4
  "mode": "All",
5
+ "description": "This policy definition is deprecated. Learn more about policy definition deprecation at aka.ms/policydefdeprecation",
6
  "metadata": {
7
+ "version": "1.1.0-deprecated",
8
+ "category": "Security Center",
9
+ "deprecated": true
10
  },
11
  "parameters": {
12
  "effect": {
13
  "type": "String",
 
18
  "allowedValues": [
19
  "AuditIfNotExists",
20
  "Disabled"
21
  ],
22
+ "defaultValue": "Disabled"
23
  }
24
  },
25
  "policyRule": {
26
  "if": {
JSON
api-version=2021-06-01
EPAC 
{7 items}