Has MFA been applied to all users of your cloud services?
Section A7: User Access Control · Cyber Essentials Montpellier
What this question is really asking
This is an auto-fail question. MFA must be enabled for all users of cloud services — not just administrators. If you have users who have not enrolled in MFA on your cloud platforms, you cannot certify under Danzell until this is resolved. Roll out MFA organisation-wide before your assessment.
What satisfies this requirement
Yes or NoAll cloud service user accounts must use MFA with a password of at least 8 characters.
What to prepare before your assessor visit
This is the change that caught the most organisations off-guard in Danzell. Organisations that had only enabled MFA for IT administrators under Willow found they needed a full user rollout to certify under Danzell. Before assessment, pull a report from your cloud identity platform showing MFA enrollment status for every user. Any user not enrolled must be enrolled — or have their access removed — before you submit. Do not underestimate the time needed to chase non-compliant users.
How this question sits across CE versions
Related policy templates
Getting certified means having documentation to back it up. These policy templates cover the controls this question tests.
Does your organisation meet this requirement?
Answer 30 plain-English questions and find out exactly where you stand across all 5 Cyber Essentials control areas — with a prioritised list of what to fix first.