CISA.MS.AAD.3.1 - Phishing-resistant MFA SHALL be enforced for all users.
Overview
Phishing-resistant MFA SHALL be enforced for all users.
Rationale: Weaker forms of MFA do not protect against sophisticated phishing attacks. By enforcing methods resistant to phishing, those risks are minimized.
Remediation action:
Create a conditional access policy enforcing phishing-resistant MFA for all users. Configure the following policy settings in the new conditional access policy, per the values below:
- Users > Include > All users
- Target resources > Cloud apps > All cloud apps
- Access controls > Grant > Grant Access > Require authentication strength > Phishing-resistant MFA
Related links
Test Metadata
| Field | Value |
|---|---|
| Test ID | CISA.MS.AAD.3.1 |
| Severity | High |
| Suite | CISA |
| Category | Entra ID P1 |
| PowerShell test | Test-MtCisaPhishResistant |
| Tags | CISA, CISA.MS.AAD.3.1, Entra ID P1, MS.AAD, MS.AAD.3.1 |
Source
- Pester test:
tests/cisa/entra/Test-MtCisaPhishResistant.Tests.ps1 - PowerShell source:
powershell/public/cisa/entra/Test-MtCisaPhishResistant.ps1