General
This checks if conditional access policies are set to enforce extra strong multi-factor authentication (MFA) for administrators.
Rationale
Attackers actively try to bypass MFA to gain access to organizations. Phishing-resistant methods for MFA exist, but they are less user-friendly and/or more expensive to implement. As such, these methods may not be feasible for all users, but are certainly worth considering for accounts with administrative rights.
Attic Fix
A fix is available for this check! This will be offered via a ticket in Attic after which you can accept.
The first time the fix is executed, it will create the policy in report-only mode. This allows you to see in log files which admins would be blocked by the policy, so that you can still provide these admins with additional MFA methods.
The second time, this policy will be changed to 'enabled' after which the policy will actually be enforced.
Manual instruction
Follow these steps to adjust the setting:
- Open the Entra ID admin portal via https://entra.microsoft.com
- Go to Protection and then Conditional Access
- Click on Create new policy from templates
- Search for phishing
- Click on the policy with the title "Require phishing-resistant multifactor authentication for admins" and click on Review + create
- Click on Create to create the policy in Reporting only
On a Later, you can open the policy and set the policy state to On to enable it.
Impact
Admins without phishing-resistant MFA methods registered will no longer be able to log in once the policy is enabled.
Comments
0 comments
Please sign in to leave a comment.