MT.1006 - At least one Conditional Access policy is configured to require MFA for admins.
Overviewβ
This test checks if the tenant has at least one conditional access policy requiring MFA for admins. The following roles are considered as admin roles:
- Global Administrator
- Application Administrator
- Authentication Administrator
- Billing Administrator
- Cloud Application Administrator
- Conditional Access Administrator
- Exchange Administrator
- Helpdesk Administrator
- Password Administrator
- Privileged Authentication Administrator
- Privileged Role Administrator
- Security Administrator
- SharePoint Administrator
- User Administrator
See Require MFA for administrators - Microsoft Learn"
Test Metadataβ
| Field | Value |
|---|---|
| Test ID | MT.1006 |
| Severity | High |
| Suite | Maester |
| Category | CA |
| PowerShell test | Test-MtCaMfaForAdmin |
| Tags | CA, Maester, MT.1006 |
Sourceβ
- Pester test:
tests/Maester/Entra/Test-ConditionalAccessBaseline.Tests.ps1 - PowerShell source:
powershell/public/maester/entra/Test-MtCaMfaForAdmin.ps1