v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/microsoft365_compliance
Overview
4Dashboards
80Controls
21Queries
2Variables
GitHub

Control: 1.1.5 Ensure that password protection is enabled for Active Directory

Description

Enable Azure Active Directory Password Protection to Active Directory to protect against the use of common passwords.

Azure Active Directory protects an organization by prohibiting the use of weak or leaked passwords. In addition, organizations can create custom banned password lists to prevent their users from using easily guessed passwords that are specific to their industry. Deploying this feature to Active Directory will strengthen the passwords that are used in the environment.

Remediation

To setup Azure Active Directory Password Protection, use the following steps:

  1. Download and install the Azure AD Password Proxies and DC Agents from the following location: https://www.microsoft.com/download/details.aspx?id=57071.
  2. After the installation is complete, login to https://admin.microsoft.com as a Global Administrator.
  3. Go to Admin centers and click on Azure Active Directory.
  4. Select Azure Active Directory then Security on the left side navigation followed by Authentication methods.
  5. Select Password protection and toggle Enable password protection on Windows Server Active Directory to Yes and Mode to Enforced.
  6. Click Save at the top of the right pane.

Usage

Run the control in your terminal:

powerpipe control run microsoft365_compliance.control.cis_v140_1_1_5

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run microsoft365_compliance.control.cis_v140_1_1_5 --share

SQL

This control uses a named query:

azuread_password_protection_enabled

Tags

category = Compliance
cis = true
cis_item_id = 1.1.5
cis_level = 1
cis_section_id = 1.1
cis_type = manual
cis_version = v1.4.0
microsoft_365_license = E3
plugin = microsoft365
service = Azure/ActiveDirectory