2

I do have users assigned as Owners to Subs. I also have MFA forced for set of users, not all from AAD.

I am trying to find a solution (policy?) where I can block Owner of Subscription from adding a user to Sub without MFA solution applied yet. Only users with MFA should be available for assignment.

Do you have an idea how this can be achieved?

I was thinking about the policy where I will use "Microsoft.Security/complianceResults" & "EnableMFAForWritePermissions" & "Microsoft.Security/complianceResults/resourceStatus" so I can prevent from adding such user which will affect resource compliance but multiple tests didn't work yet.

Thanks

maras2002
  • 193
  • 5

1 Answers1

0

I would leverage conditional access in Azure. I would configure it on the owners group to require MFA when performing user administration. I would use one of the existing policies like Require MFA for Administrators, etc as the example that I would fine tune.

Here are links to the docs for some of these concepts:

https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/overview

https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-admin-mfa

Jamie
  • 3,094
  • 1
  • 18
  • 28
  • Jamie, we do have a group which is reflected in Azure CA, but not everyone is a membership of this group. So we want to avoid adding users without this group (so without CA/MFA) to any subscription (by Sub Owner). There are some policies checking the MFA existence eg ` "type": "Microsoft.Security/complianceResults","name": "EnableMFAForWritePermissions", "existenceCondition": {"field": "Microsoft.Security/complianceResults/resourceStatus", "in": ["OffByPolicy",Healthy" ` but I am striggling when bulding custom policy that prevent (Deny) adding a user with no MFA to subscription. – maras2002 Sep 19 '19 at 07:57