2.22 Ensure that 'Require Multifactor Authentication to register or join devices with Microsoft Entr

1 votes

I would like to challenge this recommendation.

If imposing MFA on "device registration and joining", wont this interfere with users registering their MFA devices?

I would like to suggest that the optimal choice is:

"Ensure that "Users may join devices to Microsoft Entra" is set to Selected or No."

Users don't typically need to join devices; only admins / selected identities do (albeit a different case for Intune; I think this configuration may interfere).

In any case, I believe that imposing MFA on "device registration" will add more work for Administrators in the long run.

I would also recommend Conditional Access Policies enforcing Device Compliance (Health, EDR, Trusted Networks, etc.) on authentication as well; this will deter attempts to upgrade to a Primary Refresh Token from rogue joined devices (ref. Dirk-Jan M.'s work)

Done Benchmark Community Suggestion Suggested by: Filip Jodoin (18 Feb, '25) • Upvoted: 18 Feb, '25 • Comments: 1

Comments: 1
Oldest • Newest • Most likes • Fewest likes

19 Feb, '25
Moderator Admin
Highlighted comment

Hi Filip

Thanks for the suggestions that you have added. Unfortunately, this is not the forum for those - it would be the Benchmark specific Community on CIS Workbench.

You can access the list of Workbench Communities at https://workbench.cisecurity.org/communities/public. And then once you locate the community which has published the Benchmark, you can add a Discussion or Ticket regarding your specific suggestion.

I hope this helps.

Best regards

Chris

2.22 Ensure that 'Require Multifactor Authentication to register or join devices with Microsoft Entr

Comments: 1 Oldest • Newest • Most likes • Fewest likes

Comments: 1
Oldest • Newest • Most likes • Fewest likes