AZ-001 Microsoft Azure

MFA is enforced for all users, especially privileged roles.

MFA is enforced for all users, especially privileged roles.

Domain
Microsoft Azure
Area
Entra ID / IAM
Automated / manual
Automated

Risk if it fails

Password-only logins are trivially phished.

Without a second factor, one stolen password lets an attacker log in as the employee — and if that employee is an admin, they now control the whole tenant.

How Tess tests it

1 test — each concludes only on cited evidence.

MFA is enforced for all users, especially privileged roles.

Automated
Procedure
Review Conditional Access / Security Defaults and per-user MFA state for privileged roles.

Read-only command 

az rest --method get --url 'https://graph.microsoft.com/v1.0/policies/authenticationMethodsPolicy'
az ad user list --query '[].userPrincipalName'

More in Microsoft Azure

AZ-002 Number of Global Administrators is limited (typically 2-4). AZ-003 Privileged Identity Management (PIM) provides just-in-time elevation. AZ-004 Legacy/basic authentication is blocked. AZ-005 Guest user access and invitations are restricted.

Want Tess to test AZ-001 against your evidence?

Book a demo