From Azure Portal<br /><br />1. From Azure Home select the Portal Menu 2. Select Microsoft Entra ID blade 3. Under Manage, click Roles and administrators 4. Take note of all users with the role Service Co-Administrators Owners or Contributors 5. Return to the Overview 6. Under Manage, click Users 7. Click on the Per-User MFA button in the top row menu 8. Check the box next to each noted user 9. Click Enable MFA 10.Click Enable<br /><br />Once verified, enter the date that this attestation expires. Note that the date can not be further in the future than is specified in report level Maximum Attestation Duration policy. Set to a blank value to clear the attestation. 

Azure > Management Group

Azure > Subscription

Azure > Tenant

Turbot > Folder

Turbot

Turbot > IAM > Turbot Identity

Turbot > IAM > Unidentified Identity

Azure > Active Directory > Directory

Kubernetes > Cluster

GCP > Project

GitHub > Repository

AWS > Account

ServiceNow > Instance

GCP > Compute Engine > Disk

GCP > Compute Engine > Image

GCP > Compute Engine > Instance

GCP > Compute Engine > Region Disk

GCP > Compute Engine > Snapshot

GCP > Composer > Environment

GCP > Network > Forwarding Rule

GCP > Network > Global Forwarding Rule

GCP > Network > VPN Tunnel

GCP > Bigtable > Instance

GCP > BigQuery > Dataset

GCP > BigQuery > Table

GCP > Memorystore > Instance

GCP > Spanner > Instance

GCP > DNS > Managed Zone

GCP > Vertex AI > Endpoint

GCP > KMS > Crypto Key

GCP > Kubernetes Engine > Region Cluster

GCP > Kubernetes Engine > Zone Cluster

GCP > Dataplex > Lake

GCP > Dataplex > Task

GCP > Dataplex > Zone

GCP > Storage > Bucket

GCP > Secret Manager > Secret

GCP > SQL > Instance

GCP > Dataproc > Cluster

GCP > Dataproc > Job

GCP > Dataproc > Workflow Template

GCP > Pub/Sub > Snapshot

GCP > Pub/Sub > Subscription

GCP > Pub/Sub > Topic

GCP > App Engine > Service

Azure > AKS > Managed Cluster

Azure > DNS > Zone

Azure > DNS > Record Set

Azure > PostgreSQL > Flexible Server

Azure > PostgreSQL > Server

Azure > Monitor > Action Group

Azure > Monitor > Metric Alert

Azure > SQL > Database

Azure > SQL > Elastic Pool

Azure > SQL > Managed Instance

Azure > SQL > Server

Azure > Container Registry > Registry

Azure > Firewall > Firewall

Azure > Data Factory > Factory

Azure > Managed Identity > User Assigned Identity

Azure > Storage > Storage Account

Azure > Log Analytics > Log Analytics Workspace

Azure > API Management > API Management Service

Azure > Application Gateway Service > Application Gateway

Azure > Databricks > Workspace

Azure > SQL Virtual Machine Service > SQL Virtual Machine

Azure > Cosmos DB > Database Account

Azure > Relay > Namespace

Azure > Automation > Automation Account

Azure > Automation > Runbook

Azure > Service Bus > Namespace

Azure > Key Vault > Vault

Azure > SignalR Service > SignalR

Azure > Network Watcher > Network Watcher

Azure > Synapse Analytics > SQL Pool

Azure > Synapse Analytics > Workspace

Azure > Resource Group

Azure > Application Insights > Application Insight

Azure > App Service > App Service Plan

Azure > App Service > Web App

Azure > Search Management > Search Service

Azure > MySQL > Flexible Server

Azure > MySQL > Server [Deprecated]

Azure > Recovery Service > Vault

Azure > Load Balancer > Load Balancer

Azure > Network > Application Security Group

Azure > Network > Bastion Host

Azure > Network > Express Route Circuits

Azure > Network > Network Interface

Azure > Network > Network Security Group

Azure > Network > Private DNS Zones

Azure > Network > Private Endpoints

Azure > Network > Public IP Address

Azure > Network > Route Table

Azure > Network > Virtual Network

Azure > Network > Virtual Network Gateway

Azure > Network > Private Link Service

Azure > Compute > Availability Set

Azure > Compute > Disk

Azure > Compute > Disk Encryption Set

Azure > Compute > Image

Azure > Compute > Snapshot

Azure > Compute > Ssh Public Key

Azure > Compute > Virtual Machine

Azure > Compute > Virtual Machine Scale Set

AWS > Kinesis > Stream

AWS > Kinesis > Kinesis Video Stream

AWS > Well-Architected Tool > Workload

AWS > DMS > Endpoint

AWS > DMS > Replication Instance

AWS > VPC > Egress Only Internet Gateway

GCP > Folder

AWS > Region

AWS > EC2 > Instance

From Azure Portal&#92;n&#92;n1. From Azure Home select the Portal Menu&#92;n2. Select Microsoft Entra ID blade&#92;n3. Under Manage, click Roles and administrators&#92;n4. Take note of all users with the role Service Co-Administrators Owners or Contributors&#92;n5. Return to the Overview&#92;n6. Under Manage, click Users&#92;n7. Click on the Per-User MFA button in the top row menu&#92;n8. Check the box next to each noted user&#92;n9. Click Enable MFA&#92;n10.Click Enable&#92;n&#92;nOnce verified, enter the date that this attestation expires. Note that the&#92;ndate can not be further in the future than is specified in&#92;nreport level Maximum Attestation Duration policy.&#92;nSet to a blank value to clear the attestation.&#92;n

Azure > CIS v3.0 > 02 - Identity > 02.01 - Security Defaults (Per-User MFA) > 02.01.02 - Ensure that &#39;Multi-Factor Auth Status&#39; is &#39;Enabled&#39; for all Privileged Users

Azure > CIS v3.0 > 02 - Identity > 02.01 - Security Defaults (Per-User MFA) > 02.01.02 - Ensure that &#39;Multi-Factor Auth Status&#39; is &#39;Enabled&#39; for all Privileged Users > Attestation

Policy: Azure > CIS v3.0 > 02 - Identity > 02.01 - Security Defaults (Per-User MFA) > 02.01.02 - Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users > Attestation

Targets

Primary Policy

Policy Specification

Category

In Your Workspace

Developers