CISA.MS.AAD.3.6 - Phishing-resistant MFA SHALL be required for highly privileged roles.
Overviewβ
Phishing-resistant MFA SHALL be required for highly privileged roles.
Rationale: This is a backup security policy to help protect privileged access to the tenant if the conditional access policy, which requires MFA for all users, is disabled or misconfigured.
Remediation action:β
Create a conditional access policy enforcing phishing-resistant MFA for highly privileged roles. Configure the following policy settings in the new conditional access policy, per the values below:
- In Entra under Protection and Conditional Access, select Policies.
- Click on New policy
- Under New Conditional Access policy, configure the following policy settings in the new conditional access policy, per the values below:
- Users > Include > Select users and groups > Directory roles > select each of the roles listed in the Highly Privileged Roles listed.
- Target resources > Cloud apps > All cloud apps
- Access controls > Grant > Grant Access > Require authentication strength > Phishing-resistant MFA
- Click Save.
Related linksβ
- Entra admin center - Conditional Access | Policies
- CISA Strong Authentication & Secure Registration - MS.AAD.3.6v1
- CISA ScubaGear Rego Reference
- CISA ScubaGear Highly Privileged Roles
Test Metadataβ
| Field | Value |
|---|---|
| Test ID | CISA.MS.AAD.3.6 |
| Severity | High |
| Suite | CISA |
| Category | Entra ID P1 |
| PowerShell test | Test-MtCisaPrivilegedPhishResistant |
| Tags | CISA, CISA.MS.AAD.3.6, Entra ID P1, MS.AAD, MS.AAD.3.6 |
Sourceβ
- Pester test:
tests/cisa/entra/Test-MtCisaPrivilegedPhishResistant.Tests.ps1 - PowerShell source:
powershell/public/cisa/entra/Test-MtCisaPrivilegedPhishResistant.ps1