Listen to this Post
Introduction:
Microsoft is tightening security by enforcing mandatory Multi-Factor Authentication (MFA) for Azure CLI, Azure PowerShell, Azure mobile app, and Infrastructure-as-Code (IaC) tools starting September 15. This move aims to reduce credential-based attacks. Security expert Nathan McNulty has shared tools and templates to audit compliance before enforcement.
Learning Objectives:
- Understand Microsoft’s new MFA enforcement policy for Azure services.
- Learn how to audit compliance using Conditional Access (CA) templates and KQL queries.
- Implement best practices for securing non-Service Principal-based authentication.
1. Importing Nathan McNulty’s Conditional Access Template
Microsoft’s new MFA requirement affects Azure CLI, PowerShell, and IaC tools that rely on interactive logins. Nathan McNulty provides a Conditional Access (CA) template to audit these applications before enforcement.
Steps to Import the Template:
- Download the template from this link.
- Navigate to Azure AD > Security > Conditional Access > Templates.
3. Click “Import” and upload the JSON file.
- Review the policy in Report-only mode to assess impact.
Why This Matters:
This template helps identify which users and apps will be affected by the MFA enforcement, allowing admins to remediate issues proactively.
2. Using Microsoft’s Official Guidance on MFA Enforcement
Microsoft has published additional details on the upcoming changes.
Key Resources:
- Official Microsoft Documentation – Explains scope and exceptions.
- Impact Assessment: Use Azure AD Sign-in Logs to track non-compliant logins.
Command to Check Non-MFA Logins (PowerShell):
Get-AzureADAuditSignInLogs -Filter "startsWith(AppDisplayName, 'Azure') and MfaDetail eq 'None'" -Top 100
This retrieves recent Azure logins without MFA.
3. Auditing with MSIdentityTools Module (Custom PR Included)
Nathan McNulty notes that the default MSIdentityTools module report is incomplete. He submitted a Pull Request (PR) to improve it.
Steps to Use Enhanced Reporting:
1. Install the MSIdentityTools module:
Install-Module MSIdentityTools -Force
2. Export sign-in logs (online queries may fail):
Export-MgBetaAuditLogSignIn -OutputFilePath "C:\SignInLogs.json"
3. Analyze logs for non-MFA Azure CLI/PowerShell logins.
- KQL Query for Defender XDR & Azure Monitor Users
For organizations ingesting logs into Defender XDR or Azure Monitor, Nathan suggests a Kusto Query Language (KQL) approach.
Sample KQL Query:
SigninLogs | where AppDisplayName startswith "Azure" | where ResultType == "0" // Successful logins | where MfaDetails has "None" | project TimeGenerated, UserPrincipalName, AppDisplayName, IPAddress
This identifies successful Azure logins without MFA.
5. Remediation Steps Before September 15
To avoid disruptions, follow these steps:
1. Enforce MFA for all Azure admin roles.
2. Migrate scripts to Service Principals where possible.
3. Test Nathan’s CA template in Report-only mode.
PowerShell Command to Enable MFA for a User:
Set-MsolUser -UserPrincipalName "[email protected]" -StrongAuthenticationRequirements @{State="Enabled"}
What Undercode Say:
- Key Takeaway 1: Microsoft’s MFA enforcement is a necessary security upgrade but may break legacy scripts.
- Key Takeaway 2: Proactive auditing with CA templates, KQL, and PowerShell is critical for compliance.
Analysis:
This policy shift reflects Microsoft’s push toward Zero Trust. Organizations relying on interactive Azure CLI/PowerShell logins must adapt quickly. Nathan’s tools provide a head start, but enterprises should also consider automated remediation workflows to enforce MFA at scale.
Prediction:
- Short-term: Some organizations will face script failures if they don’t enforce MFA in time.
- Long-term: Microsoft may expand MFA requirements to more Azure services, pushing broader passwordless adoption.
By preparing now, security teams can avoid last-minute chaos and align with Microsoft’s evolving security standards.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Nathanmcnulty On – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
