Check provider logo

At least one Conditional Access policy requires phishing-resistant MFA strength for administrator roles

entra_admin_users_phishing_resistant_mfa_enabled

Severityhigh
Serviceentra
by Prowler
identity-accesse3

Microsoft Entra Conditional Access for administrator roles requires phishing-resistant MFA authentication strength on All applications. Disabled policies are ignored; report-only policies aren't considered. Policies with custom strengths require review to confirm they are truly phishing-resistant.

Risk

Without phishing-resistant MFA on admin accounts, attackers can:

  • Bypass OTP/push via AiTM phishing
  • Abuse MFA fatigue to gain sessions
  • Perform tenant takeover, alter policies, and exfiltrate data

This harms confidentiality, configuration integrity, and service availability.

Run this check with Prowler CLI

prowler m365 --checks entra_admin_users_phishing_resistant_mfa_enabled

Run in Prowler Cloud

Recommendation

Require Phishing-resistant MFA via Conditional Access for all privileged roles and All resources. Favor FIDO2, Windows Hello for Business, or certificate-based auth. Apply least privilege, use PIM for step-up on role activation, test in report-only, and keep a monitored break-glass account.

Remediation

Other
  1. Sign in to Microsoft Entra admin center (https://entra.microsoft.com)
  2. Go to Entra ID > Conditional Access > Policies > New policy
  3. Users > Include > Directory roles > select Global Administrator (or the admin roles you require)
  4. Target resources > Resources (cloud apps) > Include > All cloud apps; ensure Exclude is empty
  5. Grant > Grant access > Require authentication strength > select Phishing-resistant MFA > Select
  6. Enable policy: On
  7. Click Create

Source Code

Resource Type

NotDefined

References