Phishing-resistant MFA for Admins [CHK-1171]
This check verifies if phishing-resistant multi-factor authentication (MFA) is enforced for administrators.
Rationale
Admin accounts are prime targets for attackers who actively try to bypass MFA. Implementing phishing-resistant MFA methods, although less user-friendly or more expensive, significantly enhances the security of these accounts.
Fix
An automated fix is available through Attic. This fix creates a report-only policy initially, allowing you to review which admins would be affected by the policy. The policy is then changed to 'enabled' to enforce it.
To fix it yourself:
- Navigate to Entra ID portal at https://entra.microsoft.com
- Go to Conditional Access > Policies
- Click "New policy"
- Name the policy (e.g., "Require phishing-resistant MFA for admins")
- Under "Assignments > Users", select "Directory roles" and choose admin roles
- Under "Assignments > Cloud apps", select "All cloud apps"
- Under "Access controls > Grant", select "Require authentication strength" and choose "Phishing-resistant MFA"
- Set "Enable policy" to "Report-only" initially
- Click "Create"
- Review the report-only results before changing to "On"
Impact
Once the policy is enabled, admins without phishing-resistant MFA methods registered will be unable to sign in.
More Information
For more details, visit Microsoft's guide on phishing-resistant MFA.