Microsoft Entra ID must be configured to use multifactor authentication (MFA).

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
high	V-270233	SRG-APP-000149	ENTR-ID-000440	SV-270233r1085634_rule	2025-03-17	1

Description
Without the use of MFA, the ease of access to privileged functions is greatly increased. MFA requires the use of two or more factors to achieve authentication. Factors include: (i) Something a user knows (e.g., password/PIN); (ii) Something a user has (e.g., cryptographic identification device, token); or (iii) Something a user is (e.g., biometric). A privileged account is defined as an information system account with authorizations of a privileged user. Network access is defined as access to an information system by a user (or a process acting on behalf of a user) communicating through a network (e.g., local area network, wide area network, or the internet). Satisfies: SRG-APP-000149, SRG-APP-000150, SRG-APP-000154, SRG-APP-000155

Description

Without the use of MFA, the ease of access to privileged functions is greatly increased. MFA requires the use of two or more factors to achieve authentication. Factors include: (i) Something a user knows (e.g., password/PIN); (ii) Something a user has (e.g., cryptographic identification device, token); or (iii) Something a user is (e.g., biometric). A privileged account is defined as an information system account with authorizations of a privileged user. Network access is defined as access to an information system by a user (or a process acting on behalf of a user) communicating through a network (e.g., local area network, wide area network, or the internet). Satisfies: SRG-APP-000149, SRG-APP-000150, SRG-APP-000154, SRG-APP-000155

ℹ️ Check
Verify user accounts require MFA. 1. Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator. 2. Browse to Identity >> Protection >> Conditional Access. 3. Select "Policies" and find the MFA policy. 4. Confirm the policy state is set to "On". 5. Select the policy and confirm "All users included" is specified under the Users option of the policy. 6. Confirm any exclusions listed under the "Exclude" section of the Users option are documented with the authorizing official (AO). If the MFA policy is not set to "On" with "All users included" selected and any exclusions are not documented with the AO, this is a finding.

ℹ️ Check

Verify user accounts require MFA. 1. Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator. 2. Browse to Identity >> Protection >> Conditional Access. 3. Select "Policies" and find the MFA policy. 4. Confirm the policy state is set to "On". 5. Select the policy and confirm "All users included" is specified under the Users option of the policy. 6. Confirm any exclusions listed under the "Exclude" section of the Users option are documented with the authorizing official (AO). If the MFA policy is not set to "On" with "All users included" selected and any exclusions are not documented with the AO, this is a finding.

✔️ Fix
Account authentication is managed by Entra ID. The following steps will create a Conditional Access policy to require all users to use MFA: 1. Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator. 2. In the search bar, search for "Conditional Access". 3. Select "Create new policy". 4. Give the policy a name. It is recommended that organizations create a meaningful standard for the names of policies. 5. Under "Assignments", select "Users" or "workload identities". a. Under "Include", select "All users". b. Under "Exclude", select "Users" and "groups", and then choose the organization's emergency access or break-glass accounts. 6. Navigate to Target resources >> Cloud apps >> Include. Select "All cloud apps". a. Under "Exclude", select any applications that do not require MFA. 7. Navigate to Access controls >> Grant. Select "Grant access, Require multifactor authentication", and then click "Select". 8. Confirm the settings and set "Enable policy" to "Report-only". 9. Select "Create" to enable the policy. 10. After confirming the policy, deploy the policy by either moving the "Enable" policy toggle from "Report-only" to "On" or alternately, deploying the policy using a Conditional Access template.

✔️ Fix

Account authentication is managed by Entra ID. The following steps will create a Conditional Access policy to require all users to use MFA: 1. Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator. 2. In the search bar, search for "Conditional Access". 3. Select "Create new policy". 4. Give the policy a name. It is recommended that organizations create a meaningful standard for the names of policies. 5. Under "Assignments", select "Users" or "workload identities". a. Under "Include", select "All users". b. Under "Exclude", select "Users" and "groups", and then choose the organization's emergency access or break-glass accounts. 6. Navigate to Target resources >> Cloud apps >> Include. Select "All cloud apps". a. Under "Exclude", select any applications that do not require MFA. 7. Navigate to Access controls >> Grant. Select "Grant access, Require multifactor authentication", and then click "Select". 8. Confirm the settings and set "Enable policy" to "Report-only". 9. Select "Create" to enable the policy. 10. After confirming the policy, deploy the policy by either moving the "Enable" policy toggle from "Report-only" to "On" or alternately, deploying the policy using a Conditional Access template.