Admin Accounts Without MFA [CHK-1137]
This check identifies administrative accounts that do not have a registered method for Multi-Factor Authentication (MFA).
Rationale
Administrative accounts have special access to organizational information, making them valuable targets for attackers. Microsoft is making MFA mandatory for certain administrative functions, including emergency access or break-glass accounts. This check helps ensure compliance and avoid potential issues.
Fix
An automated fix is available through Attic.
Manual steps:
- Go to: https://mysignins.microsoft.com/security-info (sign in with the relevant account)
- Click to Add an authentication method
- Choose a method that is phishing-resistant: Authenticator App, Security Key or Passkey
- Follow the on-screen configuration steps
- When finished, you may add a second MFA-method for back-up purposes
Impact
Once the fix is applied, all administrative accounts will have at least one MFA method set up, enhancing the security of these accounts and complying with Microsoft's requirements.