Check provider logo

Users in administrative roles require multifactor authentication via a Conditional Access policy for all applications

entra_admin_users_mfa_enabled

Severityhigh
Serviceentra
by Prowler
identity-accesse3

Microsoft Entra Conditional Access policies that enforce multifactor authentication for users in administrative roles across all resources.

The assessment identifies at least one active policy that targets admin roles (or all users), includes all applications, and grants access only when Require multifactor authentication is satisfied.

Risk

Without enforced MFA on privileged accounts, stolen or phished passwords can grant admin access, enabling tenant takeover. Attackers may exfiltrate data, change configurations, consent malicious apps, and disable protections, impacting confidentiality, integrity, and availability.

Run this check with Prowler CLI

prowler m365 --checks entra_admin_users_mfa_enabled

Run in Prowler Cloud

Recommendation

Require MFA for all administrative roles with Conditional Access scoped to All cloud apps to avoid gaps. Prefer phishing-resistant methods (FIDO2, passkeys, Authenticator). Apply least privilege, limit exclusions, protect break-glass accounts, monitor sign-ins, and verify policies actively enforce, not just report.

Remediation

CLI

az rest --method post --url https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies --body '{"displayName":"Require MFA for all users","state":"enabled","conditions":{"users":{"includeUsers":["All"]},"applications":{"includeApplications":["All"]}},"grantControls":{"operator":"OR","builtInControls":["mfa"]}}'

Terraform
Other
  1. Sign in to Microsoft Entra admin center > Entra ID > Protection > Conditional Access > Policies > New policy
  2. Users: Include > All users
  3. Target resources: Include > All cloud apps (All resources)
  4. Grant: Grant access > Require multifactor authentication > Select
  5. Enable policy: On > Create

Source Code

Resource Type

NotDefined

References