MFA enforced on critical SaaS
Demonstrate that multi-factor authentication is technically enforced for all user accounts with access to designated critical SaaS applications, with no capability to bypass this requirement under normal operational conditions.
Description
What this control does
This control requires that multi-factor authentication (MFA) is mandated for all user accounts accessing business-critical Software-as-a-Service (SaaS) applications such as productivity suites, CRM platforms, HR systems, and financial management tools. MFA enforcement prevents unauthorized access even when credentials are compromised through phishing, credential stuffing, or password reuse. The control is implemented through identity provider policies, SaaS-native security settings, or conditional access rules that block sign-in attempts lacking a second authentication factor.
Control objective
What auditing this proves
Demonstrate that multi-factor authentication is technically enforced for all user accounts with access to designated critical SaaS applications, with no capability to bypass this requirement under normal operational conditions.
Associated risks
Risks this control addresses
- Unauthorized access to SaaS applications containing sensitive business data following credential compromise via phishing attacks
- Account takeover by external threat actors using credentials obtained from third-party data breaches or password reuse
- Lateral movement across SaaS environments after initial compromise of a single user account lacking MFA protection
- Insider misuse of stolen or shared credentials to access SaaS platforms beyond authorized scope
- Business email compromise (BEC) attacks exploiting weak authentication to impersonate executives or financial personnel
- Data exfiltration from cloud storage, collaboration platforms, or customer databases accessible through compromised SaaS accounts
- Regulatory non-compliance with standards requiring strong authentication for systems processing protected data types
Testing procedure
How an auditor verifies this control
- Obtain the organization's official inventory of critical SaaS applications including application names, URLs, and business criticality classification.
- Request and review the identity provider (IdP) or SaaS application security policy configurations showing MFA enforcement rules for each critical application.
- Select a representative sample of 15-20 active user accounts spanning different roles, departments, and privilege levels with access to critical SaaS applications.
- For each sampled user, review authentication logs or user attribute records to verify MFA enrollment status and confirm registered authenticator types (e.g., authenticator app, hardware token, SMS).
- Attempt to authenticate to a critical SaaS application using valid credentials for a test account without providing the second factor, documenting whether access is denied.
- Review conditional access policies or authentication policy exceptions to identify any accounts, groups, or IP ranges exempted from MFA requirements.
- Interview identity and access management personnel to understand the process for MFA enrollment, user onboarding workflows, and handling of MFA bypass requests.
- Examine change management records or security configuration audit logs from the past 12 months to confirm MFA enforcement has remained continuously active without unauthorized policy modifications.