Skip to main content
All CollectionsControl Tests
Test: MFA on Infrastructure Console
Test: MFA on Infrastructure Console

Drata connects to the company's infrastructure and pulls a list of IAM accounts' auth configurations to determine if MFA is required.

Ashley Hyman avatar
Written by Ashley Hyman
Updated over a week ago


This test is part of the MFA on Accounts control that ensures Multi-Factor Authentication (MFA) is being required for access to any sensitive systems or applications. Drata will verify that in order to log in to your company Infrastructure Management Console a user needs to provide their ID, a password, and then either a One-Time Password (OTP) or certificate.


If Drata finds that there are infrastructure accounts that do not have MFA enabled the test will fail. With a failed test you will receive a list of users that do not have MFA enabled on their account.


To ensure a validated state when testing for MFA on the Infrastructure Console, please follow the steps listed in the table below. In certain cases, the individual failing users will need to modify their account MFA implementation. Once the provider steps have been completed, the next nightly user sync will pick up the changes and rerun the test to show the latest results.

Provider / Technology

Provider Steps

Atlas MongoDB

  1. Atlas' API does not expose user MFA details. As a result, all records on the Managed Accounts page will show as failing MFA. In addition, monitoring test 88 - MFA on Infrastructure Console will show these users as failing. They will need to be excluded. If Atlas is the only connected infrastructure connection, this test can be disabled.


  1. Within AWS, go to the IAM service

  2. Go to Users

  3. Add user, add to any user group

  4. Save user

Then, as the new IAM user:

  1. Login

  2. Turn on MFA

Azure - Users

  1. Login to with Office 365 credentials

  2. Create user with Office 365 email

    1. Users created in this way are associated with Office 365 AND Azure

  3. Click "Authentication Methods", then require re-register MFA in top panel

Then, as the new user:

  1. Login

  2. Turn on MFA

This may take a few hours to propagate within Azure.

Note: Drata also supports pulling MFA when Conditional Access Policies or Security Defaults are in place. This does require that Microsoft 365 be used as your IdP connection. Please reach out to our Technical Support team if you need more guidance.

Cloudflare - Users

  1. Within Cloudflare, select an account

  2. Navigate to the members page

  3. Turn ON the “Member 2FA enforcement” (This will require invited members to enable their MFA when they accepted the invitation)

  4. Invite members. (Enter email address)

  5. Click the invite button

Note: You will need to make sure that an Admin has connected both the IDP and Cloudflare to Drata.


Accounts within GCP must also be added to Google Workspace (GW, fka GSuite).

To Add a User to GW and GCP

  1. Log in to GW and add the account

  2. Log in to GCP IAM and add the member that was created in GW

  3. Make sure this user has MFA enabled in GW

  4. Navigate to the Connections screen in Drata and connect to GW and GCP

    1. NOTE: please follow the "Before Diving In" section of the GCP Connection Details article to ensure Drata can automatically pull MFA for GCP users

  5. Navigate to the Manage Infrastructure Accounts page (filtered to clientType=GCP)

  6. Verify the account has been added

  7. Verify the user shows as having MFA enabled


  1. Log into Heroko

  2. Click 'Setup Multi-Factor Authentication'

  3. Click 'Add' to choose the desired MFA authentication method and follow the on-screen instructions'

  4. Click 'Done' to finish the setup

  5. Ensure you receive the confirmation email

NOTE: ensure the user making the Heroku connection is part of an Enterprise Team, and that global permissions have been granted to the Drata OAuth application. This will allow Drata to pull MFA for both enterprise and standard team members.


Did this answer your question?