All admin role assignments must have MFA registered

IDENTITY.ENTRA.MFA.ADMIN · GLOBAL · operational_security

Severity

critical

Cadence

daily

Region

global

Current status (Apollo Gaming Ltd.)

not evaluated

Requirement

Every user assigned a privileged admin role in Entra ID (Global Admin, Privileged Role Admin, Security Admin, Conditional Access Admin, etc.) must have multi-factor authentication registered. Conditional Access must enforce MFA at sign-in for these roles.

Source: AICPA TSC CC6.1 + CIS Microsoft 365 Foundations 1.2

Remediation guidance

Identify the admin without MFA. Enrol them via Microsoft Authenticator or hardware token. Audit the Conditional Access policy "Require MFA for admins" — it should be in state=enabled and include all admin roleTemplateIds.

Evidence specification

Evidence type	Connector	Spec	Acceptance criteria
`infra_config`	`idp-entra`	{ "query": "admin_role_assignments", "required_fields": [ "roleTemplateId", "displayName", "members" ] }	`every member of every admin role has mfa=true`

Recent evaluations (Apollo Gaming Ltd.)

No evaluation history for this control yet.