MFA enforced for all administrators
Demonstrate that multi-factor authentication is technically enforced for 100% of administrator accounts across all systems and platforms, with no bypass mechanisms enabled.
Description
What this control does
Multi-factor authentication (MFA) must be enforced for all accounts with administrative privileges across systems, applications, and cloud platforms. This control requires at least two independent authentication factors (knowledge, possession, or inherence) for any user performing privileged operations such as configuration changes, user management, or access to sensitive data repositories. Enforcement mechanisms include conditional access policies, PAM solutions, identity provider configurations, and native platform controls that prevent administrative logon without successful MFA validation.
Control objective
What auditing this proves
Demonstrate that multi-factor authentication is technically enforced for 100% of administrator accounts across all systems and platforms, with no bypass mechanisms enabled.
Associated risks
Risks this control addresses
- Credential compromise through phishing or social engineering enables unauthorized administrative access without additional verification
- Password reuse or weak passwords allow attackers to pivot from breached external services directly into privileged accounts
- Stolen or leaked credentials from third-party breaches grant immediate elevated access to critical systems
- Insider threats with knowledge of administrator passwords bypass single-factor authentication controls
- Session hijacking or man-in-the-middle attacks capture credentials in transit and replay them for administrative access
- Brute-force or password-spraying attacks against administrative accounts succeed without MFA rate-limiting protections
- Lack of MFA creates audit gaps where unauthorized privileged activity cannot be definitively attributed to legitimate administrators
Testing procedure
How an auditor verifies this control
- Obtain a complete inventory of all systems, applications, cloud platforms, and infrastructure components that support administrative access
- Enumerate all accounts designated with administrative, privileged, or elevated permissions across each platform in the inventory
- Review identity provider configurations, conditional access policies, and PAM system settings to identify MFA enforcement rules applicable to administrator accounts
- Select a representative sample of administrator accounts spanning different platforms (cloud consoles, directory services, network devices, databases, applications)
- Attempt to authenticate to each sampled system using valid administrator credentials but without completing the MFA challenge to verify enforcement
- Review authentication logs for the past 90 days to identify any successful administrative logins that did not include MFA validation events
- Examine exception lists, bypass configurations, and emergency access procedures to confirm no standing exemptions exist for administrator MFA requirements
- Verify that MFA enrollment is mandatory for all administrator accounts and that accounts cannot perform privileged actions until enrollment is complete