AzPolicyAdvertizer

last sync: 2025-Apr-29 17:16:02 UTC

[Deprecated]: Accounts with write permissions on Azure resources should be MFA enabled

Azure BuiltIn Policy definition

Source Azure Portal
Display name [Deprecated]: Accounts with write permissions on Azure resources should be MFA enabled
Id 931e118d-50a1-4457-a5e4-78550e086c52
Version 1.1.0-deprecated
Details on versioning
Versioning Versions supported for Versioning: 2
1.1.0 (1.1.0-deprecated)
1.0.0
Built-in Versioning [Preview]
Category Security Center
Microsoft Learn
Description This policy definition is deprecated. Learn more about policy definition deprecation at aka.ms/policydefdeprecation
Cloud environments AzureCloud = true
AzureUSGovernment = true
AzureChinaCloud = unknown
Available in AzUSGov The Policy is available in AzureUSGovernment cloud. Version: '1.1.0-deprecated'
Repository: Azure-Policy 931e118d-50a1-4457-a5e4-78550e086c52
Mode All
Type BuiltIn
Preview False
Deprecated True
Effect Default
Disabled
Allowed
AuditIfNotExists, Disabled
RBAC role(s) none
Rule aliases THEN-ExistenceCondition (1)
Alias Namespace ResourceType Path PathIsDefault DefaultPath Modifiable
Microsoft.Security/assessments/status.code Microsoft.Security assessments properties.status.code True False
Rule resource types IF (1)
Compliance
The following 4 compliance controls are associated with this Policy definition '[Deprecated]: Accounts with write permissions on Azure resources should be MFA enabled' (931e118d-50a1-4457-a5e4-78550e086c52)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
Azure_Security_Benchmark_v1.0 3.5 Azure_Security_Benchmark_v1.0_3.5 Azure Security Benchmark 3.5 Identity and Access Control Use multi-factor authentication for all Microsoft Entra ID based access Customer Enable Microsoft Entra MFA and follow Azure Security Center Identity and Access Management recommendations. How to enable MFA in Azure: https://docs.microsoft.com/azure/active-directory/authentication/howto-mfa-getstarted How to monitor identity and access within Azure Security Center: https://docs.microsoft.com/azure/security-center/security-center-identity-access n/a link 3
Azure_Security_Benchmark_v2.0 IM-4 Azure_Security_Benchmark_v2.0_IM-4 Azure Security Benchmark IM-4 Identity Management Use strong authentication controls for all Microsoft Entra ID based access Customer Microsoft Entra ID supports strong authentication controls through multi-factor authentication (MFA) and strong passwordless methods. - Multi-factor authentication: Enable Microsoft Entra MFA and follow Azure Security Center identity and access management recommendations for your MFA setup. MFA can be enforced on all users, select users, or at the per-user level based on sign-in conditions and risk factors. - Passwordless authentication: Three passwordless authentication options are available: Windows Hello for Business, Microsoft Authenticator app, and on-premises authentication methods such as smart cards. For administrator and privileged users, ensure the highest level of the strong authentication method is used, followed by rolling out the appropriate strong authentication policy to other users. If legacy password-based authentication is still used for Microsoft Entra ID authentication, please be aware that cloud-only accounts (user accounts created directly in Azure) have a default baseline password policy. And hybrid accounts (user accounts that come from on-premises Active Directory) follow the on-premises password policies. When using password-based authentication, Microsoft Entra ID provides a password protection capability that prevents users from setting passwords that are easy to guess. Microsoft provides a global list of banned passwords that is updated based on telemetry, and customers can augment the list based on their needs (e.g. branding, cultural references, etc.). This password protection can be used for cloud-only and hybrid accounts. Note: Authentication based on password credentials alone is susceptible to popular attack methods. For higher security, use strong authentication such as MFA and a strong password policy. For third-party applications and marketplace services that may have default passwords, you should change them during initial service setup. How to enable MFA in Azure: https://docs.microsoft.com/azure/active-directory/authentication/howto-mfa-getstarted Introduction to passwordless authentication options for Microsoft Entra ID: https://docs.microsoft.com/azure/active-directory/authentication/concept-authentication-passwordless Microsoft Entra ID default password policy: https://docs.microsoft.com/azure/active-directory/authentication/concept-sspr-policy#password-policies-that-only-apply-to-cloud-user-accounts Eliminate bad passwords using Microsoft Entra Password Protection: https://docs.microsoft.com/azure/active-directory/authentication/concept-password-ban-bad n/a link 3
NZ_ISM_v3.5 AC-11 NZ_ISM_v3.5_AC-11 NZISM Security Benchmark AC-11 Access Control and Passwords 16.4.30 Privileged Access Management Customer n/a A fundamental part of any security policy is the inclusion of requirements for the treatment of Privileged Accounts. This is most conveniently contained in a Privileged Access Management (PAM) section within the agency???s security policy. A PAM policy is a fundamental component of an agency???s IT Governance. link 7
NZISM_Security_Benchmark_v1.1 AC-11 NZISM_Security_Benchmark_v1.1_AC-11 NZISM Security Benchmark AC-11 Access Control and Passwords 16.4.30 Privileged Access Management Customer Agencies MUST establish a Privileged Access Management (PAM) policy. Within the context of agency operations, the agency’s PAM policy MUST define: a privileged account; and privileged access. Agencies MUST manage Privileged Accounts in accordance with the Agency’s PAM Policy. A fundamental part of any security policy is the inclusion of requirements for the treatment of Privileged Accounts. This is most conveniently contained in a Privileged Access Management (PAM) section within the agency’s security policy. A PAM policy is a fundamental component of an agency’s IT Governance. link 9
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type polSet in AzUSGov
[Deprecated]: Azure Security Benchmark v1 42a694ed-f65e-42b2-aa9e-8052e9740a92 Regulatory Compliance Deprecated BuiltIn true
[Deprecated]: Azure Security Benchmark v2 bb522ac1-bc39-4957-b194-429bcd3bcb0b Regulatory Compliance Deprecated BuiltIn true
[Deprecated]: DoD Impact Level 4 8d792a84-723c-4d92-a3c3-e4ed16a2d133 Regulatory Compliance Deprecated BuiltIn true
[Deprecated]: New Zealand ISM Restricted d1a462af-7e6d-4901-98ac-61570b4ed22a Regulatory Compliance Deprecated BuiltIn unknown
[Deprecated]: New Zealand ISM Restricted v3.5 93d2179e-3068-c82f-2428-d614ae836a04 Regulatory Compliance Deprecated BuiltIn unknown
History
Date/Time (UTC ymd) (i) Change type Change detail
2025-01-21 19:02:36 change Minor, new suffix: deprecated (1.0.0 > 1.1.0-deprecated)
2022-08-09 17:24:03 add 931e118d-50a1-4457-a5e4-78550e086c52
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC