MFA bypass / exception register reviewed quarterly
Demonstrate that MFA bypass and exception entries are formally reviewed at least quarterly, that outdated or unjustified exceptions are revoked, and that compensating controls are validated for all active exceptions.
Description
What this control does
This control establishes a formal quarterly review process for all documented exceptions and bypasses to multi-factor authentication (MFA) requirements. Organizations maintain a centralized register of accounts, systems, or user groups granted temporary or permanent MFA exemptions, including business justification, approval authority, and expiration dates. Quarterly reviews validate that each exception remains necessary, appropriately scoped, and supported by compensating controls. This prevents MFA bypass creep and ensures high-risk exceptions receive continuous scrutiny.
Control objective
What auditing this proves
Demonstrate that MFA bypass and exception entries are formally reviewed at least quarterly, that outdated or unjustified exceptions are revoked, and that compensating controls are validated for all active exceptions.
Associated risks
Risks this control addresses
- Attackers compromise accounts or service principals excluded from MFA due to stale or forgotten exceptions that should have been revoked
- Legacy system exceptions persist indefinitely without periodic validation of technical constraints or alternative enforcement mechanisms
- Temporary MFA bypasses granted during incidents or onboarding become permanent due to lack of expiration enforcement
- Privileged accounts or administrative roles receive MFA exemptions without documented compensating controls such as IP restrictions or jump hosts
- Exception scope expands over time as additional users or systems are quietly added without updated justification or re-approval
- Lack of ownership assignment for exceptions results in no party responsible for remediation or periodic validation of necessity
- Unauthorized MFA bypasses configured directly in identity systems bypass the formal exception registration and review process
Testing procedure
How an auditor verifies this control
- Obtain the current MFA bypass and exception register, including all fields such as account/system identifier, justification, approver, creation date, review date, and expiration date.
- Verify that the register contains entries for all known MFA exceptions by cross-referencing conditional access policies, identity provider configurations, and authentication logs to identify accounts or groups excluded from MFA enforcement.
- Review documentation of the three most recent quarterly reviews, confirming each includes dated sign-off by designated reviewers and records decisions to retain, modify, or revoke exceptions.
- Select a sample of at least 10 active MFA exceptions spanning different business units, account types, and justification categories.
- For each sampled exception, validate that the documented justification remains valid by interviewing the business or system owner and confirming technical or operational constraints still exist.
- Verify that compensating controls documented for each sampled exception are actively implemented by reviewing firewall rules, network segmentation configurations, privileged access management logs, or other technical evidence.
- Identify any exceptions that exceeded their documented expiration date and confirm they were either formally renewed with updated approval or removed from the exception register and had MFA enforced.
- Test enforcement by reviewing authentication logs for a subset of excepted accounts to confirm MFA is not bypassed beyond the documented scope and that any revoked exceptions now require MFA.