ASD's Blueprint for Secure Cloud

Multi-factor Authentication

This page provides a template and guidance to assist organisations in documenting their approach to Multi-Factor Authentication, as per the Essential Eight Maturity Model, associated with their system(s) built on ASD's Blueprint for Secure Cloud.

Estimated reading time: 6 minutes

Applicability

The Multi-Factor Authentication (MFA) mitigation strategy is applicable to all access management within <SYSTEM-NAME>.

In particular, this is applicable to the configuration of Microsoft Entra ID AND ON PREMISES ACTIVE DIRECTORY to provide identity and access management (IAM) services for <SYSTEM-NAME>, particularly for governing access to Microsoft 365 services and to managed <SYSTEM-NAME> Windows endpoints.

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Maturity level

Targeted:<TARGET-LEVEL>
Currently Assessed:<ASSESSED-LEVEL>

Implementation

Authentication methods used

Microsoft Entra ID is configured as the central store for identity and access management within <SYSTEM-NAME>, acting as central management for user authentication and authorisation to various Single Sign On (SSO) services, including as for access to <SYSTEM-NAME> Windows endpoints.

Microsoft Entra ID is configured to utilise the following authentication methods:

User groupAuthentication methodNotes
Unprivileged users:<Authentication method-1>
<Authentication method-2>
Privileged users:<Authentication method-1>

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Logging

The collection of event logs for monitoring of <SYSTEM-NAME> is performed in accordance with <ORGANISATION-NAME>’s Event Logging Policy, and includes the aggregation of the following logs into Microsoft Log Analytics:

MFA Event (Microsoft 365 services)Forwarded to Log Analytics
Successful MFA:<YES>
Unsuccessful MFA:<YES>
MFA Event (Workstations)Forwarded to Log Analytics
Successful MFA:<YES>
Unsuccessful MFA:<YES>
MFA Event (<Internet-facing servers>)Forwarded to Log Analytics
Successful MFA:<YES>
Unsuccessful MFA:<YES>
MFA Event (<Non-internet-facing servers>)Forwarded to Log Analytics
Successful MFA:<YES>
Unsuccessful MFA:<YES>
MFA Event (<OTHER-SERVICE-1>)Forwarded to Log Analytics
Successful MFA:<YES>
Unsuccessful MFA:<YES>

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Monitoring and response

<SYSTEM-NAME> utilises the Microsoft 365 Defender portal and <SIEM-PRODUCT> to assist in the identification of cyber security incidents.

This includes the processing, analysis, and response to the following event logs in a timely manner:

MFA EventMicrosoft 365 ServicesWorkstations<INTERNET-FACING-SERVERS><NON-INTERNET-FACING-SERVERS><OTHER SERVICES>
Successful MFA:<YES><YES><IMPLEMENTATION><IMPLEMENTATION><IMPLEMENTATION>
Unsuccessful MFA:<YES><YES><IMPLEMENTATION><IMPLEMENTATION><IMPLEMENTATION>

<ORGANISATION-NAME> has established a Security Operations Centre (SOC) to analyse cyber security events in a timely manner, a Cyber Security Incident Register and Incident Response Plan to facilitate the response to detected cyber security events in a timely and appropriate manner. This plan includes reporting all incidents to the <ORGANISATION-NAME> CISO and to ASD in a timely manner.

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Security & Governance

Design

Do you have a suggestion on how the above page could be improved? Get in touch! ASD's Blueprint for Secure Cloud is an open source project, and we would love to get your input. Submit an issue on our GitHub, or send us an email at blueprint@asd.gov.au

Acknowledgement of Country icon

Acknowledgement of Country
We acknowledge the Traditional Owners and Custodians of Country throughout Australia and their continuing connections to land, sea and communities. We pay our respects to them, their cultures and their Elders; past, present and emerging. We also recognise Australia's First Peoples' enduring contribution to Australia's national security.

Authorised by the Australian Government, Canberra