CISA.MS.AAD.3.8 - Managed Devices SHOULD be required to register MFA.
Overviewβ
Managed Devices SHOULD be required to register MFA.
Rationale: Reduce risk of an adversary using stolen user credentials and then registering their own MFA device to access the tenant by requiring a managed device provisioned and controlled by the agency to perform registration actions. This prevents the adversary from using their own unmanaged device to perform the registration.
Remediation action:β
Create a conditional access policy requiring a user to be on a managed device when registering for MFA.
- In Entra under Protection and Conditional Access, select Policies.
- Click on New policy
- Under New Conditional Access policy, configure the following policy settings in the new conditional access policy, per the values below:
- Users > Include > All users
- Target resources > User actions > Register security information
- Access controls > Grant > Grant Access > Require device to be marked as compliant and Require Microsoft Entra hybrid joined device > For multiple controls > Require one of the selected controls
- Click Save.
Related linksβ
- Entra admin center - Conditional Access | Policies
- CISA Strong Authentication & Secure Registration - MS.AAD.3.8v1
- CISA ScubaGear Rego Reference
Test Metadataβ
| Field | Value |
|---|---|
| Test ID | CISA.MS.AAD.3.8 |
| Severity | High |
| Suite | CISA |
| Category | Entra ID P1 |
| PowerShell test | Test-MtCisaManagedDeviceRegistration |
| Tags | CISA, CISA.MS.AAD.3.8, Entra ID P1, MS.AAD, MS.AAD.3.8 |
Sourceβ
- Pester test:
tests/cisa/entra/Test-MtCisaManagedDeviceRegistration.Tests.ps1 - PowerShell source:
powershell/public/cisa/entra/Test-MtCisaManagedDeviceRegistration.ps1