Turbot Guardrails Hub 
Hub
  • Mods
  • Policy Packs
  • Docs
  • Home
ModsPolicy PacksDocsHome
Mods
Azure
Loading controls...

Control: Azure > CIS v5.0 > 5 - Identity Services > 5.01 - Security Defaults (Per-User MFA) > 5.01.03 - Ensure that 'Allow users to remember multifactor authentication on devices they trust' is disabled

Configures auditing against a CIS Benchmark item.

Level: 1

[IMPORTANT - Please read the section overview: If your organization pays for Microsoft Entra ID licensing (included in Microsoft 365 E3, E5, F5, or Business Premium, and EM&S E3 or E5 licenses) and CAN use Conditional Access, ignore the recommendations in this section and proceed to the Conditional Access section.]

Do not allow users to remember multi-factor authentication on devices.

Remembering Multi-Factor Authentication (MFA) for devices and browsers allows users to have the option to bypass MFA for a set number of days after performing a successful sign-in using MFA. This can enhance usability by minimizing the number of times a user may need to perform two-step verification on the same device. However, if an account or device is compromised, remembering MFA for trusted devices may affect security. Hence, it is recommended that users not be allowed to bypass MFA.

Resource Types

This control targets the following resource types:

  • Azure > Active Directory > Directory

Policies

This control type relies on these other policies when running actions:

  • Azure > CIS v5.0 > Maximum Attestation Duration
  • Azure > CIS v5.0 > 5 - Identity Services > 5.01 - Security Defaults (Per-User MFA) > 5.01.03 - Ensure that 'Allow users to remember multifactor authentication on devices they trust' is disabled > Attestation
  • Azure > CIS v5.0
  • Azure > CIS v5.0 > 5 - Identity Services > 5.01 - Security Defaults (Per-User MFA) > 5.01.03 - Ensure that 'Allow users to remember multifactor authentication on devices they trust' is disabled
  • Azure > CIS v5.0 > 5 - Identity Services
  • Azure > CIS v5.0 > 5 - Identity Services > Maximum Attestation Duration

Category

  • CIS > Controls v7 > 16 Account Monitoring and Control > 16.03 Require Multi-factor Authentication

In Your Workspace

  • Controls by Resource report
  • Controls by Control Type report

Developers

    Control Type URI
    • tmod:@turbot/azure-cisv5-0#/control/types/r050103
    • Category URI
    • tmod:@turbot/cis#/control/categories/v071603
    • GraphQL
    • query controlType(id: "tmod:@turbot/azure-cisv5-0#/control/types/r050103") { … }
    • query controls(filter: "controlTypeId:'tmod:@turbot/azure-cisv5-0#/control/types/r050103'") { … }
    • CLI
    • Get Controls
    • turbot graphql controls --filter "controlTypeId:tmod:@turbot/azure-cisv5-0#/control/types/r050103"
Guardrails
Guardrails Hub
  • Hub
  • Docs
  • Blog
  • Changelog
Products
  • GuardrailsGuardrails
  • PipesPipes
  • SteampipeSteampipe
  • PowerpipePowerpipe
  • FlowpipeFlowpipe
  • TailpipeTailpipe
Turbot
  • Home
  • About us
  • We're hiring!
  • Contact us
Community

Our community of practitioners love to discuss cloud governance & security.

Slack logoJoin us on Slack →

System StatusLegalSecurity
Terms of UseSecurityPrivacy
50
Mods
207
Resource Types
3,612
Policies
1,957
Controls
103
Quick Actions
114
IAM