I Enabled MFA By Default, We Are Secure, Right?

Maybe not

Attack vector created by storyset — Freepik

A recent post caught my eye and It’s something I’ve discussed many of times:

Many orgs will set MFA by default, however, they fail to actually set the MFA of multiple accounts. As this shows, if you haven’t done it already, the attackers can do it for you.

I wrote a while back as many of these accounts may be “service accounts” — Medium

Admins need to be reviewing all the privileged accounts and figuring out an MFA method. It may be that you can set up a conditional access policy to limit the registration of MFA to set criteria. If this is not viable, then define a conditional access policy around the application itself.

Conditional access allows you to be quite granular, so if you set it per use case, this will help prevent access even if the MFA is set by the attacker (Given legacy auth is disabled).

For AzureAD, I’ve written a simple Powershell script that uses the MSOnline module. The script will run through roles with “*Admin*” in and check the “users” MFA status. For those that are False, it’s worth reviewing.

The only limitation is that is has to run on Powershell 5.

Find the code here: Github/Get-AzPriv_MFA.ps1

References: https://docs.microsoft.com/en-us/powershell/azure/active-directory/install-msonlinev1?view=azureadps-1.0


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Create a website or blog at WordPress.com

%d bloggers like this: