IA-2(1) / IA-2(2) / A.9.4.2 / CIS-6.3 / CIS-6.5 NIST SP 800-53 Rev 5

MFA enforced on every user (incl. admins)

Demonstrate that multi-factor authentication is universally enforced across all user accounts, including administrative and privileged roles, with no exceptions or bypasses that would permit single-factor authentication.

Description

What this control does

Multi-factor authentication (MFA) is required for every user account with access to organizational systems, including administrators, standard users, service accounts with interactive login capability, and privileged accounts. This control enforces at least two independent authentication factors (something you know, something you have, or something you are) at every authentication event. MFA significantly reduces the risk of unauthorized access resulting from credential theft, phishing, or brute-force attacks by requiring an attacker to compromise multiple independent factors.

Control objective

What auditing this proves

Associated risks

Risks this control addresses

Credential theft via phishing campaigns allows unauthorized access using stolen passwords alone
Compromised passwords from third-party breaches enable account takeover without additional verification
Brute-force or password-spray attacks succeed when only password authentication is required
Insider threats with knowledge of user credentials gain unauthorized access to systems and data
Session hijacking or man-in-the-middle attacks leverage stolen session tokens to bypass authentication
Privileged account compromise leads to complete system control and lateral movement across infrastructure
Automated bot attacks successfully authenticate using leaked credential databases

Testing procedure

How an auditor verifies this control

Obtain a complete inventory of all user accounts across identity providers, directory services, VPNs, cloud platforms, and administrative consoles
Review authentication policy configurations in identity management systems (e.g., Azure AD, Okapi, Active Directory, AWS IAM) to identify MFA enforcement settings
Select a stratified sample of at least 25 accounts including regular users, administrators, service principals with interactive login, and break-glass accounts
Attempt test authentications for sampled accounts using only username and password to verify MFA challenge is triggered before access is granted
Review authentication logs for the past 90 days to identify any successful authentications that did not include an MFA event
Examine conditional access policies, authentication policies, and exception groups to identify any bypass rules or MFA exclusions
Interview identity administrators to identify documented break-glass procedures and verify compensating controls for emergency access scenarios
Review user provisioning workflows and onboarding documentation to confirm MFA enrollment is mandatory before initial system access

Evidence required Configuration exports from identity providers showing global MFA enforcement policies and no exclusion groups; authentication logs demonstrating MFA challenges for all sampled authentication events; screenshots of policy settings from Azure AD Conditional Access, AWS IAM policies, or equivalent platforms; attestation letters from identity administrators confirming no bypass mechanisms exist; user provisioning procedures requiring MFA registration before access grant.

Pass criteria 100% of sampled accounts demonstrate mandatory MFA enforcement at authentication with no successful single-factor authentications observed in logs, no policy exceptions exist outside documented and controlled break-glass procedures with compensating detective controls, and configuration exports confirm global MFA requirement.

Where this control is tested

Audit programs including this control

Microsoft 365 Security Posture

Audit your M365 tenant for the controls that actually matter: identity, mail flow, sharing, audit logging and admin…