Control: Azure > CIS v2.0 > 01 - Identity and Access Management > 1.22 Ensure that 'Require Multi-Factor Authentication to register or join devices with Azure AD' is set to 'Yes'
Configures auditing against a CIS Benchmark item.
Level: 1
Joining or registering devices to the active directory should require Multi-factor authentication.
Multi-factor authentication is recommended when adding devices to Azure AD. When set to Yes, users who are adding devices from the internet must first use the second method of authentication before their device is successfully added to the directory. This ensures that rogue devices are not added to the domain using a compromised user account. Note: Some Microsoft documentation suggests to use conditional access policies for joining a domain from certain whitelisted networks or devices. Even with these in place, using Multi-Factor Authentication is still recommended, as it creates a process for review before joining the domain.
Resource Types
This control targets the following resource types:
Policies
This control type relies on these other policies when running actions:
- Azure > CIS v2.0 > Maximum Attestation Duration
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.22 Ensure that 'Require Multi-Factor Authentication to register or join devices with Azure AD' is set to 'Yes' > Attestation
- Azure > CIS v2.0
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.22 Ensure that 'Require Multi-Factor Authentication to register or join devices with Azure AD' is set to 'Yes'
- Azure > CIS v2.0 > 01 - Identity and Access Management
- Azure > CIS v2.0 > 01 - Identity and Access Management > Maximum Attestation Duration
Category
In Your Workspace
Developers
- tmod:@turbot/azure-cisv2-0#/control/types/r0122
- tmod:@turbot/cis#/control/categories/v071603
- turbot graphql controls --filter "controlTypeId:tmod:@turbot/azure-cisv2-0#/control/types/r0122"
Get Controls