Block SMS Sign-In as First Authentication Factor [CHK-1164]
This check verifies if SMS is blocked as the first factor for authentication.
Rationale
Due to the risk of SIM swapping, SMS is considered an insecure authentication method. Microsoft, by default, enables the option to use SMS as the first factor for authentication. This could potentially allow an attacker with access to an employee's phone or their phone number to gain access to the Microsoft environment. Therefore, it is recommended to disable this setting.
Fix
An automated fix is available through Attic.
Manual steps:
- Navigate to the Microsoft Entra admin center at https://entra.microsoft.com
- Go to Security > Authentication Methods
- Click on SMS
- Uncheck Use for sign-in under All users: OFF
- Click Save
Impact
This fix will disable signing in using SMS, thereby enhancing the security of your Microsoft environment by reducing the risk of unauthorized access.