ISM Controls and multifactor authentication Maturity Levels
This table outlines the ISM controls related to multifactor authentication.
| ISM control Dec 2024 | Maturity Level | Control | Measure |
|---|---|---|---|
| ISM-0109 | 3 | Event logs from workstations are analyzed in a timely manner to detect cyber security events. | Out of scope for this guide. |
| ISM-0123 | 2, 3 | Cyber security incidents are reported to the Chief Information Security Officer, or one of their delegates, as soon as possible after they occur or are discovered. | Out of scope for this guide. |
| ISM-0140 | 2, 3 | Cyber security incidents are reported to ASD as soon as possible after they occur or are discovered. | Out of scope for this guide. |
| ISM-0974 | 2, 3 | Multifactor authentication is used to authenticate unprivileged users of systems. | Create conditional access policy requiring multifactor authentication. |
| ISM-1173 | 2, 3 | Multifactor authentication is used to authenticate privileged users of systems. | Create conditional access policy requiring multifactor authentication. |
| ISM-1228 | 2, 3 | Cyber security events are analyzed in a timely manner to identify cyber security incidents. | Out of scope for this guide. |
| ISM-1401 | 1, 2, 3 | Multifactor authentication uses either: something users have and something users know, or something users have that be unlocked with something users know or are. | Create conditional access policy requiring multifactor authentication. |
| ISM-1504 | 1, 2, 3 | Multifactor authentication is used to authenticate users to their organization’s online services that process, store, or communicate their organization’s sensitive data. | Create conditional access policy requiring multifactor authentication. |
| ISM-1505 | 3 | Multifactor authentication is used to authenticate users of data repositories. | Create conditional access policy requiring multifactor authentication. |
| ISM-1679 | 1, 2, 3 | Multifactor authentication is used to authenticate users to third-party online services that process, store, or communicate their organization’s sensitive data. | Create conditional access policy requiring multifactor authentication. |
| ISM-1680 | 1, 2, 3 | Multifactor authentication (where available) is used to authenticate users to third-party online services that process, store, or communicate their organization’s nonsensitive data. | Create conditional access policy requiring multifactor authentication. |
| ISM-1681 | 1, 2, 3 | Multifactor authentication is used to authenticate customers to online customer services that process, store, or communicate sensitive customer data. | Nonorganizational users (External ID for customers) are outside of the scope of this document. Microsoft Entra ID supports organizational users, which include employees and guest identities (B2B users) |
| ISM-1682 | 2, 3 | Multifactor authentication used for authenticating users of systems is phishing-resistant. | Create conditional access policy requiring multifactor authentication and requiring a phishing resistant authentication strength. |
| ISM-1683 | 2, 3 | Successful and unsuccessful multifactor authentication events are centrally logged. | Verify authentication events are being logged in the Microsoft Entra sign-in logs. |
| ISM-1815 | 2, 3 | Event logs are protected from unauthorized modification and deletion. | Access controls in place to prevent authorized updates. |
| ISM-1819 | 2, 3 | Following the identification of a cyber security incident, the cyber security incident response plan is enacted. | Out of scope for this guide. |
| ISM-1872 | 2, 3 | Multifactor authentication used for authenticating users of online services is phishing-resistant. | Create conditional access policy requiring multifactor authentication and requiring a phishing resistant authentication strength. |
| ISM-1873 | 2 | Multifactor authentication used for authenticating customers of online customer services provides a phishing-resistant option. | Nonorganizational users (External ID for customers) are outside of the scope of this document. Microsoft Entra ID supports organizational users, which include employees and guest identities (B2B users) |
| ISM-1874 | 3 | Multifactor authentication used for authenticating customers of online customer services is phishing-resistant. | Nonorganizational users (External ID for customers) are outside of the scope of this document. Microsoft Entra ID supports organizational users, which include employees and guest identities (B2B users) |
| ISM-1892 | 1, 2, 3 | Multifactor authentication is used to authenticate users to their organization’s online customer services that process, store, or communicate their organization’s sensitive customer data. | Create conditional access policy requiring multifactor authentication. |
| ISM-1893 | 1, 2, 3 | Multifactor authentication is used to authenticate users to third-party online customer services that process, store, or communicate their organization’s sensitive customer data. | Create conditional access policy requiring multifactor authentication. |
| ISM-1894 | 3 | Multifactor authentication used for authenticating users of data repositories is phishing-resistant. | Create conditional access policy requiring multifactor authentication and requiring a phishing resistant authentication strength. |
| ISM-1906 | 2, 3 | Event logs from internet-facing servers are analyzed in a timely manner to detect cyber security events. | Out of scope for this guide. |
| ISM-1907 | 3 | Event logs from non-internet-facing servers are analyzed in a timely manner to detect cyber security events. | Out of scope for this guide. |
The rest of this guide shows how you can configure Microsoft Entra Conditional Access policies to enforce multifactor authentication for the required maturity level.