GR1 | Validation 1| All Cloud User Accounts MFA Check (M)

[MathesonSho]

ItemName ENG: “All Cloud User Accounts MFA Check (M)” ItemName FR: “Vérification de l’AMF de tous les comptes d’utilisateurs infonuagiques (M)”

Description: This is a new control. The intention is to determine if all Azure Native User Accounts have MFA authentication methods for their logins.

*Ideal New Control Flow

1. Getting a list of Azure Cloud Native Accounts automatically (MS Entra ID) and,

2. then determining if every user has at least two methods of authentication configured.

3. If all identified accounts (excl. BG Accounts) have 2+ methods of authentication then the department is compliant Note: This check excludes the breakglass accounts provided by the department in the config.json.

4. If any of the identified accounts (excl. BG Accounts) do not have MFA then the department is non-compliant Acceptable MFA Configurations

5. Other options

Primary objective: each user requires at least one additional authentication methods other than email or password. User should have two authentication methods available to them. Microsoft Entra authentication methods API overview - Microsoft Graph v1.0 | Microsoft Learn

Messages/ Comments Suggested English

• • If compliant = “All Native User Accounts have 2+ methods of authentication"
• • If non-compliant = “One or more Native User Accounts have not configured MFA properly: ***List non-compliant UPNs”

Messages/ Comments Suggested French

• • If compliant = “Tous les comptes d’utilisateurs natifs ont 2+ méthodes d’authentification"
• • If non-compliant = “Un ou plusieurs comptes d’utilisateurs natifs n’ont pas été configuré(s) correctement pour l’AMF:" ***List non-compliant UPNs