CISA.MS.AAD.3.2 - If phishing-resistant MFA has not been enforced, an alternative MFA method SHALL be enforced for all users.
Overviewβ
If phishing-resistant MFA has not been enforced, an alternative MFA method SHALL be enforced for all users.
Rationale: This is a stopgap security policy to help protect the tenant if phishing-resistant MFA has not been enforced. This policy requires MFA enforcement, thus reducing single-form authentication risk.
Remediation action:β
If phishing-resistant MFA has not been enforced for all users yet, create a conditional access policy that enforces MFA but does not dictate MFA method. Configure the following policy settings in the new conditional access policy, per the values below:
- Users > Include > All users
- Target resources > Cloud apps > All cloud apps
- Access controls > Grant > Grant Access > Require multifactor authentication
Related linksβ
Test Metadataβ
| Field | Value |
|---|---|
| Test ID | CISA.MS.AAD.3.2 |
| Severity | High |
| Suite | CISA |
| Category | Entra ID P1 |
| PowerShell test | Test-MtCisaMfa |
| Tags | CISA, CISA.MS.AAD.3.2, Entra ID P1, MS.AAD, MS.AAD.3.2 |
Sourceβ
- Pester test:
tests/cisa/entra/Test-MtCisaMfa.Tests.ps1 - PowerShell source:
powershell/public/cisa/entra/Test-MtCisaMfa.ps1