MFA enforced on every SaaS account
Demonstrate that MFA is technically enforced at the authentication layer for 100% of active user accounts across all in-scope SaaS applications, with no bypass mechanisms enabled.
Description
What this control does
This control requires that multi-factor authentication (MFA) is configured and enforced for all user accounts across every Software-as-a-Service (SaaS) application used by the organization. Enforcement means users cannot access the SaaS application without completing MFA, eliminating the option to bypass or defer enrollment. This includes both employee-facing and system/service accounts where technically supported. The control reduces reliance on passwords alone and significantly raises the bar for unauthorized access even when credentials are compromised.
Control objective
What auditing this proves
Demonstrate that MFA is technically enforced at the authentication layer for 100% of active user accounts across all in-scope SaaS applications, with no bypass mechanisms enabled.
Associated risks
Risks this control addresses
- Credential phishing attacks succeed because passwords alone grant full access to SaaS applications containing sensitive data
- Stolen or leaked credentials from third-party breaches are used to access organizational SaaS tenants without additional verification
- Brute-force or password-spray attacks successfully authenticate to SaaS accounts due to weak or reused passwords
- Insider threats or former employees retain access using cached or shared credentials that were not rotated
- Session hijacking or token theft attacks bypass password controls entirely if MFA is not required at login
- Accounts provisioned without MFA enforcement create security gaps exploitable during account enumeration
- Regulatory non-compliance with data protection requirements mandating strong authentication for systems processing personal or financial data
Testing procedure
How an auditor verifies this control
- Obtain and review the complete inventory of all SaaS applications in use, including shadow IT identified through SSO logs, expense reports, or CASB telemetry.
- For each SaaS application, access the administrative console and export the global authentication policy configuration showing MFA enforcement settings.
- Select a stratified sample of at least 15-20 active user accounts per SaaS application, ensuring coverage across roles (standard users, administrators, service accounts).
- Query each SaaS application's user management interface or API to retrieve the MFA enrollment and enforcement status for each sampled account.
- Attempt a test authentication to a non-production or test account in each SaaS application using only username and password to verify that MFA challenge is presented and cannot be bypassed.
- Review authentication logs for a 30-day period to identify any successful logins that did not trigger MFA, filtering for exemptions, legacy authentication protocols, or policy gaps.
- Examine conditional access or authentication policies to confirm no user groups, IP ranges, or device types are excluded from MFA requirements without documented risk acceptance.
- Validate that service accounts or API tokens used for automation are either exempted through formal exception process or protected by certificate-based or hardware-token MFA alternatives.
Where this control is tested