IA-2(1) / IA-2(2) / A.9.4.2 / CIS-6.3 NIST SP 800-53 Rev 5

MFA enforced at the IdP layer

Demonstrate that multi-factor authentication is consistently enforced by the identity provider for all user authentication events before identity assertions are issued to integrated applications.

Description

What this control does

Multi-factor authentication (MFA) is enforced at the Identity Provider (IdP) layer, meaning authentication policies require users to present at least two distinct authentication factors before the IdP issues identity tokens or assertions to relying applications. This architectural approach centralizes authentication enforcement, ensuring that all downstream applications and services inherit MFA protection without requiring per-application configuration. By enforcing MFA at the IdP, organizations prevent attackers from bypassing multi-factor requirements through misconfigured or legacy applications that federate authentication.

Control objective

What auditing this proves

Demonstrate that multi-factor authentication is consistently enforced by the identity provider for all user authentication events before identity assertions are issued to integrated applications.

Associated risks

Risks this control addresses

Credential-based account takeover via phished or stolen passwords when MFA is not required
Lateral movement by attackers who compromise single-factor credentials and authenticate to federated applications
Bypass of application-layer MFA controls through direct IdP access or legacy authentication protocols
Session hijacking where attackers replay authentication tokens obtained without MFA challenge
Privilege escalation through administrative accounts accessed with only username and password
Insider threats exploiting weak authentication to access sensitive systems outside normal monitoring
Compliance violations when authentication assurance levels fail to meet regulatory MFA mandates

Testing procedure

How an auditor verifies this control

Obtain and review the current IdP authentication policy configuration export showing global MFA enforcement settings.
Identify all conditional access policies, authentication flows, and user groups to determine if any bypass conditions or exemptions exist.
Select a representative sample of user accounts across privilege levels (standard users, administrators, service accounts) for testing.
Attempt authentication to the IdP using sampled accounts with valid passwords only, without providing a second factor.
Document whether authentication succeeds, fails, or prompts for MFA enrollment, recording the exact behavior for each account type.
Review IdP authentication logs for a 30-day period to identify any successful sign-ins that did not include MFA claims or factors.
Examine legacy authentication protocol settings (e.g., basic auth, IMAP, SMTP) to confirm they are blocked or also subject to MFA requirements.
Validate that emergency access or break-glass accounts either enforce MFA or are subject to compensating detective controls with documented justification.

Evidence required Configuration exports from the IdP showing global authentication policies, conditional access rules, and MFA enforcement settings. Authentication event logs for the sample period indicating authentication method, factor types presented, and success/failure outcomes. Screenshots or policy documentation showing legacy protocol blocking and exemption handling for privileged or emergency accounts.

Pass criteria All sampled authentication attempts to the IdP fail or prompt for multi-factor authentication when only a password is provided, and authentication logs confirm no successful sign-ins occurred without MFA verification except for explicitly documented and approved break-glass scenarios with compensating controls.

Where this control is tested

Audit programs including this control

SSO Health Check

Single sign-on is only as strong as the apps it covers and the policies behind it. Quick check…