Secure Authentication

Summary

Secure authentication technologies and procedures should be implemented based on information access restrictions and the topic-specific policy on access control. This ensures that the identity of any user or system attempting to access data is verified with high confidence.

Applicability

In-Scope: Mandatory for all organizations. It is the primary defense against unauthorized access and the most critical technical control in a modern security framework.

Out-of-Scope: Never out-of-scope.

Implementation Guidance

Microsoft 365 / Entra ID

• Multi-Factor Authentication (MFA): Enforce MFA for all users via Entra ID Conditional Access, prioritizing phishing-resistant methods like Microsoft Authenticator (Push) or FIDO2 keys.

• Passwordless: Transition high-risk users to passwordless authentication using Windows Hello for Business or the Microsoft Authenticator app.

• Risk-Based Authentication: Enable Entra ID Identity Protection to automatically require a more secure authentication method or a password reset if a login attempt is flagged as high risk.

Evidence Checklist

• Authentication Policy: Documented requirements for password complexity, MFA usage, and the use of modern authentication protocols.

• MFA Adoption Reports: Screenshots from the Entra ID portal showing that 100% of users are registered and using MFA.

• Sign-in Logs: Audit records showing successful MFA challenges and the remediation of blocked suspicious login attempts.

Practical Audit Advice

Here are some questions the auditor might ask:

• Does the organization permit the use of weaker MFA methods like SMS or voice calls, and if so, how is this risk justified?

• How do you ensure that legacy authentication protocols (which bypass MFA) are completely disabled across the tenant?

• Can you demonstrate the process for a user to securely reset their authentication factors if they lose their mobile device?

• How are administrative accounts protected with stronger authentication requirements than standard users?