[FALSE-POSITIVE] Template missing MFA Check

[moerketh]

Template IDs or paths

- cloud/azure/activedirectory/azure-mfa-not-enabled-privileged-users.yaml

Environment

- OS: Kali (rolling)
- Nuclei: v3.3.10
- Go: 1.24.0

Steps To Reproduce

Summary: The azure-mfa-not-enabled-privileged-users template fails to properly verify whether Multi-Factor Authentication (MFA) is enabled for users with privileged Azure roles.

Description:
The nuclei template azure-mfa-not-enabled-privileged-users is designed to identify Azure users with privileged roles (like Owner, Contributor, or Administrator) where Multi-Factor Authentication (MFA) isn’t enforced. The template has two main code blocks:

• First Code Block:
  Uses the Azure CLI command az ad user list to fetch a list of all users and extracts their userPrincipalName values into a variable called userList. This is just gathering the raw list of users, nothing about MFA yet.

• Second Code Block:
  Loops through each user from userList (via the flow section) and runs az role assignment list to check their role assignments. It looks for privileged roles (Owner, Contributor, Administrator) using a word matcher.
  If a match is found, it flags the user with a message like " is a privileged user without MFA enabled" via the DSL extractor.

Where’s the MFA Check?
Here’s the issue: nowhere in this template does it actually query whether MFA is enabled for these users. The second code block checks for privileged roles, but it doesn’t cross-reference that with any MFA status.

Steps:

1. Run az login --tenant your-tenant (this is a prerequisite for the rule)
2. Run the nuclei template:

$ nuclei -t cloud/azure/activedirectory/azure-mfa-not-enabled-privileged-users.yaml -code -esc                                               

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.3.10

                projectdiscovery.io

[INF] Current nuclei version: v3.3.10 (latest)
[INF] Current nuclei-templates version: v10.1.5 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 281
[INF] Templates loaded for current scan: 1
[INF] Executing 1 signed templates from projectdiscovery/nuclei-templates
[azure-mfa-not-enabled-privileged-users] [code] [high]  ["<snip> is a privileged user without MFA enabled"]
[azure-mfa-not-enabled-privileged-users] [code] [high]  ["<snip> is a privileged user without MFA enabled"]

3. Notice that it reports all users with privileged roles regardless of MFA-status.

Relevant dumped responses

Anything else?

No response

[princechaddha]

Hi @moerketh, Thank you for taking the time to create this issue and for contributing to this project 🍻

I have Updated azure-mfa-not-enabled-privileged-users template:

• Added command to check for isMfaRegistered
• Added built-in privileged roles (Owner, Contributor, Administrator, Reservations Administrator, RBAC Administrator, User Access Administrator)
• Added reference to Azure RBAC built-in roles documentation

Please let us know if the changes made look good to you. Thank you!

[moerketh]

Hi @princechaddha, nice work! A side effect is that I cannot run this rule anymore, because this uses a P1-licensed "Advanced security and usage reports" MS Graph feature (userRegistrationDetails). Looks good to me though. I would suggest a tag for templates that require P1 or P2 licensed features so I can match that to the tenant being tested.