Description
- Type: CUSTOMER
- Severity: CRITICAL
- Protection against: SOCIAL ENGINEERING
- CIS: M365 1.1.2 - (L2) Ensure multifactor authentication is enabled for all users in all roles
- FIX Available: YES
This Customer Check verifies via Secure Score whether all users have two-step verification enabled.
Why this check?
With Two-Step Verification (or Multi-Factor Authentication/MFA), an individual is forced to use multiple methods of authentication before access is granted. This provides more certainty about whether the person is truly who they claim to be. It makes it very complicated, if not impossible, for an attacker who has gained access to a password (via phishing, malware, or leaked data, for example) to log in. This form of authentication should at least be enabled for users with administrative rights because these individuals have access to sensitive data and systems and are therefore a major target for attackers. However, this check goes a step further and verifies if the authentication is also enabled for other users, which is advisable since employees without administrative rights can still have access to very sensitive data.
CIS Benchmarks
This measure aligns with the following item from the Center for Internet Security (CIS) Microsoft 365 Foundations Benchmark:
- CIS M365 1.1.2 - (L2) Ensure multifactor authentication is enabled for all users in all roles
What are the possible outcomes of the check?
This check has multiple possible outcomes. This is mainly because Microsoft allows Two-Step Verification to be enforced in different ways:
- Security Defaults
- Conditional Access Policy
- Per user
The check verifies all these options. In Attic, this is reflected as follows:
- Okay: Two-Step Verification is enabled for all users
- Critical: Two-Step Verification is not (fully) enforced for all users
How should this be followed up?
If the output is Critical , we advise enabling Two-Step Verification for all users.
For this check, two Fixes are available, applicable depending on the Azure AD license in your Microsoft Tenant. If you have an Azure AD Premium P1 or P2 license, Two-Step Verification can be enforced for all users through a Conditional Access Policy. We will offer the appropriate fix via Attic.
Comments
0 comments
Please sign in to leave a comment.