Multi-factor authentication is used to authenticate privileged users of systems.

Multi-factor authentication is used to authenticate privileged users of systems

Property	Value
ISM Control	ISM-1173
Revision	4
Updated	Sep-21
Guideline	Not provided
Section	Authentication hardening
Topic	Multi-factor authentication
Essential Eight	ML2, ML3
PSPF Levels	NC, OS, P, S, TS

Summary

The control requires that multi-factor authentication be configured for all remote access connections and all non-console administrative interfaces, including access to code repositories and Cloud management interfaces, to mitigate brute-force attacks on privileged accounts. Implementation should enforce MFA through a Conditional Access policy in the Microsoft Entra admin center to ensure all sign-ins to privileged resources require MFA.¹

For Maturity Level 3, the CA grant must use Require authentication strength → Phishing-resistant MFA — restricting privileged access to FIDO2 security keys, Windows Hello for Business (hardware TPM), certificate-based authentication, or device-bound passkeys only. Push notifications, SMS OTP, and OATH tokens do not satisfy the ML3 requirement for privileged accounts.²³

When combined with Privileged Identity Management (PIM), MFA can be required at activation time for eligible role assignments, providing just-in-time access with phishing-resistant authentication as the activation gate.⁴

Justification

Not provided in source documentation.

Design Decision

[!NOTE] The Conditional Access policy will be created in the Entra ID Portal to require multifactor authentication for all users accessing all resources. It will be configured to enforce MFA as a mandatory access control across the environment.

Prerequisites

Licensing:
- Microsoft Entra ID P1 license is required to configure Conditional Access policies⁵.
- Licensing that includes P1 is included with Microsoft 365 E3 and E5⁵.
Permissions/Roles:
- Access to create and manage Conditional Access policies requires being a Conditional Access Administrator in Microsoft Entra ID⁶.
Dependencies:
- The environment must support Conditional Access policy grants, including: MFA, device compliance, and Entra ID hybrid joined devices⁶.
- If planning to require device compliance, devices should be enrolled in a device management solution such as Intune to enable device compliance marking; Intune enrollment is compatible with policy enforcement (you can enroll devices to Intune even if you require device compliance)⁶.
- For enforcement of device-related conditions, devices should be Microsoft Entra ID joined or hybrid joined as appropriate⁶.

Implementation Steps

Create a Conditional Access policy to require MFA in Entra ID Portal

Sign in to the Microsoft Entra admin center as a Conditional Access Administrator.⁶
Navigate to Entra ID > Conditional Access > Policies.⁶
Select New policy.⁶
Provide a meaningful name for the policy.⁶
Under Assignments, select Users or workload identities.
- Under Include, select All users.
- Under Exclude:
  - Select Users and groups and choose your organization’s emergency access or break-glass accounts.
  - If you use hybrid identity solutions like Microsoft Entra Connect or Microsoft Entra Connect Cloud Sync, select Directory roles, then select Directory Synchronization Accounts.⁶
Under Target resources > Resources (formerly cloud apps) > Include, select All resources (formerly ‘All cloud apps’).
- If you must exclude specific applications from your policy, you can choose them from the Exclude tab under Select excluded cloud apps and choose Select.⁶
Under Access controls > Grant.
- Select Require multifactor authentication, Require device to be marked as compliant, and Require Microsoft Entra hybrid joined device.
- For multiple controls, select Require one of the selected controls. ⁶
For Maturity Level 3: instead of the Require multifactor authentication grant, select Require authentication strength and choose Phishing-resistant MFA. This restricts acceptable methods to FIDO2 keys, Windows Hello for Business, certificate-based authentication, and device-bound passkeys.³
Confirm your settings and set Enable policy to Report-only.⁶
Select Create to create to enable your policy. After confirming your settings using policy impact or report-only mode, move the Enable policy toggle from Report-only to On.⁶

[!NOTE] The policy can be adjusted later to enforce MFA in all real-time sign-ins as needed. ⁶

Essential Eight MFA maturity level 3 covers the phishing-resistant MFA requirements for privileged users and maps them to Entra ID authentication strength policies Essential Eight MFA maturity level 3
Authentication strengths in Conditional Access explains how to configure the built-in or custom authentication strength grant controls and which methods qualify as phishing-resistant Authentication strengths in Conditional Access
Require phishing-resistant MFA for administrators describes the Conditional Access template for enforcing phishing-resistant MFA on admin directory roles Require phishing-resistant MFA for administrators
Governance guidance on using Conditional Access with Privileged Identity Management to enforce MFA for elevated access Microsoft Entra ID Governance deployment guide to govern privileged identities
Essential Eight guidance on enforcing Conditional Access for administrators and device compliance Essential Eight restrict administrative privileges
MFA and device-based access controls for privileged accounts in hybrid and cloud deployments Securing privileged access for hybrid and cloud deployments in Microsoft Entra ID
Just-in-time privileged access management details with MFA requirements What is Microsoft Entra Privileged Identity Management?
Prerequisites for Zero Trust identity and device access policies including phishing-resistant MFA for administrators Prerequisite work for implementing Zero Trust identity and device access policies

🛡️ Essential 8 Guide