Azure secure score admin MFA

SenservaPro_CL
| where ControlName_s == 'AzureSecureScoreAdminMFAV2'

description: |
    'This query searches for requiring multi-factor authentication (MFA) for all administrative roles makes it harder for attackers to access accounts. Administrative roles have higher permissions than typical users. If any of those accounts are compromised, critical devices and data is open to attack.'
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SenservaPro/Analytic Rules/AdminMFA.yaml
requiredDataConnectors:
- dataTypes:
  - SenservaPro_CL
  connectorId: SenservaPro
query: |
  SenservaPro_CL
  | where ControlName_s == 'AzureSecureScoreAdminMFAV2'  
triggerThreshold: 0
name: Azure secure score admin MFA
relevantTechniques:
- T1529
- T1498
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: ControlName_s
    identifier: Name
  - columnName: TenantId
    identifier: AadTenantId
  - columnName: TenantDisplayName_s
    identifier: DisplayName
- entityType: SecurityGroup
  fieldMappings:
  - columnName: Group_s
    identifier: DistinguishedName
- entityType: AzureResource
  fieldMappings:
  - columnName: SourceSystem
    identifier: ResourceId
tactics:
- Impact
queryPeriod: 6h
severity: High
status: Available
queryFrequency: 6h
id: 9a15c3dd-f72b-49a4-bcb7-94406395661e
kind: Scheduled
version: 1.0.1
triggerOperator: gt