From Azure Portal 1. From Azure Home open the Portal Menu in top left, and select Microsoft Entra ID. 2. Select Security. 3. Select Conditional Access. 4. Select Policies. 5. Click + New policy. 6. Enter a name for the policy. 7. Click the blue text under Users. 8. Select Select users and groups. 9. Select administrative groups this policy should apply to and click Select. 10.Under Exclude, check Users and groups. 11.Select users this policy not should apply to and click Select. 12.Click the blue text under Target resources. 13.Select All cloud apps. 14.Click the blue text under Grant. 15.Under Grant access, check Require multifactor authentication and click Select. 16.Set Enable policy to Report-only. 17.Click Create. After testing the policy in report-only mode, update the Enable policy setting from Report-only to On. Once verified, enter the date that this attestation expires. Note that the date can not be further in the future than is specified in report level Maximum Attestation Duration policy. Set to a blank value to clear the attestation.

Azure > Management Group

Azure > Subscription

Azure > Tenant

Turbot > Folder

Turbot

Turbot > IAM > Turbot Identity

Turbot > IAM > Unidentified Identity

Azure > Active Directory > Directory

Kubernetes > Cluster

GCP > Project

GitHub > Repository

AWS > Account

ServiceNow > Instance

GCP > Compute Engine > Disk

GCP > Compute Engine > Image

GCP > Compute Engine > Instance

GCP > Compute Engine > Region Disk

GCP > Compute Engine > Snapshot

GCP > Composer > Environment

GCP > Network > Forwarding Rule

GCP > Network > Global Forwarding Rule

GCP > Network > VPN Tunnel

GCP > Bigtable > Instance

GCP > BigQuery > Dataset

GCP > BigQuery > Table

GCP > Memorystore > Instance

GCP > Spanner > Instance

GCP > DNS > Managed Zone

GCP > Vertex AI > Endpoint

GCP > KMS > Crypto Key

GCP > Kubernetes Engine > Region Cluster

GCP > Kubernetes Engine > Zone Cluster

GCP > Dataplex > Lake

GCP > Dataplex > Task

GCP > Dataplex > Zone

GCP > Storage > Bucket

GCP > Secret Manager > Secret

GCP > SQL > Instance

GCP > Dataproc > Cluster

GCP > Dataproc > Job

GCP > Dataproc > Workflow Template

GCP > Pub/Sub > Snapshot

GCP > Pub/Sub > Subscription

GCP > Pub/Sub > Topic

GCP > App Engine > Service

Azure > AKS > Managed Cluster

Azure > DNS > Zone

Azure > DNS > Record Set

Azure > PostgreSQL > Flexible Server

Azure > PostgreSQL > Server

Azure > Monitor > Action Group

Azure > Monitor > Metric Alert

Azure > SQL > Database

Azure > SQL > Elastic Pool

Azure > SQL > Managed Instance

Azure > SQL > Server

Azure > Container Registry > Registry

Azure > Firewall > Firewall

Azure > Data Factory > Factory

Azure > Managed Identity > User Assigned Identity

Azure > Storage > Storage Account

Azure > Log Analytics > Log Analytics Workspace

Azure > API Management > API Management Service

Azure > Application Gateway Service > Application Gateway

Azure > Databricks > Workspace

Azure > SQL Virtual Machine Service > SQL Virtual Machine

Azure > Cosmos DB > Database Account

Azure > Relay > Namespace

Azure > Automation > Automation Account

Azure > Automation > Runbook

Azure > Service Bus > Namespace

Azure > Key Vault > Vault

Azure > SignalR Service > SignalR

Azure > Network Watcher > Network Watcher

Azure > Synapse Analytics > SQL Pool

Azure > Synapse Analytics > Workspace

Azure > Resource Group

Azure > Application Insights > Application Insight

Azure > App Service > App Service Plan

Azure > App Service > Web App

Azure > Search Management > Search Service

Azure > MySQL > Flexible Server

Azure > MySQL > Server [Deprecated]

Azure > Recovery Service > Vault

Azure > Load Balancer > Load Balancer

Azure > Network > Application Security Group

Azure > Network > Bastion Host

Azure > Network > Express Route Circuits

Azure > Network > Network Interface

Azure > Network > Network Security Group

Azure > Network > Private DNS Zones

Azure > Network > Private Endpoints

Azure > Network > Public IP Address

Azure > Network > Route Table

Azure > Network > Virtual Network

Azure > Network > Virtual Network Gateway

Azure > Network > Private Link Service

Azure > Compute > Availability Set

Azure > Compute > Disk

Azure > Compute > Disk Encryption Set

Azure > Compute > Image

Azure > Compute > Snapshot

Azure > Compute > Ssh Public Key

Azure > Compute > Virtual Machine

Azure > Compute > Virtual Machine Scale Set

AWS > Kinesis > Stream

AWS > Kinesis > Kinesis Video Stream

AWS > Well-Architected Tool > Workload

AWS > DMS > Endpoint

AWS > DMS > Replication Instance

AWS > VPC > Egress Only Internet Gateway

GCP > Folder

AWS > Region

AWS > EC2 > Instance

From Azure Portal&#92;n&#92;n1. From Azure Home open the Portal Menu in top left, and select Microsoft Entra ID.&#92;n2. Select Security.&#92;n3. Select Conditional Access.&#92;n4. Select Policies.&#92;n5. Click + New policy.&#92;n6. Enter a name for the policy.&#92;n7. Click the blue text under Users.&#92;n8. Select Select users and groups.&#92;n9. Select administrative groups this policy should apply to and click Select.&#92;n10.Under Exclude, check Users and groups.&#92;n11.Select users this policy not should apply to and click Select.&#92;n12.Click the blue text under Target resources.&#92;n13.Select All cloud apps.&#92;n14.Click the blue text under Grant.&#92;n15.Under Grant access, check Require multifactor authentication and click Select.&#92;n16.Set Enable policy to Report-only.&#92;n17.Click Create.&#92;n&#92;nAfter testing the policy in report-only mode, update the Enable policy setting from Report-only to On.&#92;n&#92;nOnce verified, enter the date that this attestation expires. Note that the&#92;ndate can not be further in the future than is specified in&#92;nreport level Maximum Attestation Duration policy.&#92;nSet to a blank value to clear the attestation.&#92;n

Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.04 - Ensure that A Multi-factor Authentication Policy Exists for Administrative Groups

Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.04 - Ensure that A Multi-factor Authentication Policy Exists for Administrative Groups > Attestation

Policy: Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.04 - Ensure that A Multi-factor Authentication Policy Exists for Administrative Groups > Attestation

Targets

Primary Policy

Policy Specification

Category

In Your Workspace

Developers