Microsoft Intune service must be configured to use a DOD Central Directory Service to provide multifactor authentication for network access to privileged and nonprivileged accounts and individual and group accounts.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-267341	SRG-APP-000149-UEM-000083	MSIN-24-000440	SV-267341r1026082_rule	2024-10-04	1

Description
A comprehensive account management process that includes automation helps to ensure the accounts designated as requiring attention are consistently and promptly addressed. If an attacker compromises an account, the entire MDM server infrastructure is at risk. Providing automated support functions for the management of accounts will ensure only active accounts will be granted access with the proper authorization levels. These objectives are best achieved by configuring the MDM server to leverage an enterprise authentication mechanism (e.g., Microsoft Active Directory Kerberos). To ensure individual accountability and prevent unauthorized access, application users must be individually identified and authenticated. Individual accountability mandates that each user is uniquely identified. A group authenticator is a shared account or some other form of authentication that allows multiple unique individuals to access the application using a single account. If an application allows or provides for group authenticators, it must first individually authenticate users prior to implementing group authenticator functionality. Some applications may not have the need to provide a group authenticator; this is considered a matter of application design. In those instances where the application design includes the use of a group authenticator, this requirement will apply. Satisfies: FIA Reference: PP-MDM-414003 Satisfies: SRG-APP-000149-UEM-000083, SRG-APP-000153-UEM-000087

Description

A comprehensive account management process that includes automation helps to ensure the accounts designated as requiring attention are consistently and promptly addressed. If an attacker compromises an account, the entire MDM server infrastructure is at risk. Providing automated support functions for the management of accounts will ensure only active accounts will be granted access with the proper authorization levels. These objectives are best achieved by configuring the MDM server to leverage an enterprise authentication mechanism (e.g., Microsoft Active Directory Kerberos). To ensure individual accountability and prevent unauthorized access, application users must be individually identified and authenticated. Individual accountability mandates that each user is uniquely identified. A group authenticator is a shared account or some other form of authentication that allows multiple unique individuals to access the application using a single account. If an application allows or provides for group authenticators, it must first individually authenticate users prior to implementing group authenticator functionality. Some applications may not have the need to provide a group authenticator; this is considered a matter of application design. In those instances where the application design includes the use of a group authenticator, this requirement will apply. Satisfies: FIA Reference: PP-MDM-414003 Satisfies: SRG-APP-000149-UEM-000083, SRG-APP-000153-UEM-000087

ℹ️ Check
Verify all Intune user accounts require MFA. 1. Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator. 2. Browse to Conditional Access. 3. Find the MFA policy. 4. Confirm Enable policy is set to "On". If all Intune user accounts do not require MFA, this is a finding.

✔️ Fix
Intune administrator account authentication is managed by Entra ID. The following steps will create a Conditional Access policy to require all Intune users use multifactor authentication. 1. Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator. 2. In the search bar, search for Conditional Access. 3. Select "Create new policy". 4. Name the policy. It is recommended that organizations create a meaningful standard for the names of their policies. 5. Under Assignments, select "Users or workload identities". a. Under Include, select "All users". b. Under Exclude, select "Users and groups" and choose the organization's emergency access or break-glass accounts. 6. Under Target resources >> Cloud apps >> Include, select "All cloud apps". This will include Intune. a. Under Exclude, select any applications that do not require multifactor authentication. 7. Under Access controls >> Grant, select "Grant access, Require multifactor authentication", and select "Select". 8. Confirm the settings and set Enable policy to Report-only. 9. Select Create to create to enable the policy. 10. After confirming the policy, deploy the policy be either moving the Enable policy toggle from Report-only to On or alternately, deploy the policy using a Conditional Access template.

✔️ Fix

Intune administrator account authentication is managed by Entra ID. The following steps will create a Conditional Access policy to require all Intune users use multifactor authentication. 1. Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator. 2. In the search bar, search for Conditional Access. 3. Select "Create new policy". 4. Name the policy. It is recommended that organizations create a meaningful standard for the names of their policies. 5. Under Assignments, select "Users or workload identities". a. Under Include, select "All users". b. Under Exclude, select "Users and groups" and choose the organization's emergency access or break-glass accounts. 6. Under Target resources >> Cloud apps >> Include, select "All cloud apps". This will include Intune. a. Under Exclude, select any applications that do not require multifactor authentication. 7. Under Access controls >> Grant, select "Grant access, Require multifactor authentication", and select "Select". 8. Confirm the settings and set Enable policy to Report-only. 9. Select Create to create to enable the policy. 10. After confirming the policy, deploy the policy be either moving the Enable policy toggle from Report-only to On or alternately, deploy the policy using a Conditional Access template.