🚀Launch Week 04, May 13th - 17th, 2024!🚀
Powerpipe Hub 
Hub
Mods
turbot/microsoft365_compliance
Overview
4Dashboards
80Controls
21Queries
2Variables
GitHub
Loading controls...

Control: 1.1.15 Ensure Sign-in frequency is enabled and browser sessions are not persistent for Administrative users

Description

Forcing a time out for MFA will help ensure that sessions are not kept alive for an indefinite period of time, ensuring that browser sessions are not persistent will help in prevention of drive-by attacks in web browsers, this also prevents creation and saving of session cookies leaving nothing for an attacker to take.

Administrative roles this should apply to include those such as:

  • Global Administrator
  • Billing Administrator
  • Exchange Administrator
  • SharePoint Administrator
  • Password Administrator
  • Skype for Business Administrator
  • Service Support Administrator
  • User Administrator
  • Dynamics 365 Service Administrator
  • Power BI Administrator

Note: The frequency at which MFA is prompted will be determined by your organization's policy and need.

Ensuring these additional controls are present for Administrative users adds an additional layer of defense against drive-by attacks and even some ransomware attacks.

Remediation

To enable the multifactor timeout and persistent browser settings are set for administrators, use the Microsoft 365 Admin Center:

  1. Log in to https://admin.microsoft.com as a Global Administrator.
  2. Go to Admin centers and click on Azure Active Directory.
  3. Select Enterprise applications then, under Security, select Conditional Access.
  4. Click New policy.
  5. Go to Assignments > Users and groups > Include > Select users and groups > check Directory roles.
  6. At a minimum, select the following roles: Billing admin, Conditional Access admin, Exchange admin, Global admin, Helpdesk admin, Security admin, SharePoint admin, and User admin.
  • Targeting any role with the word admin will ensure that any users with additional privileges will be targeted.
  1. Go to Cloud apps or actions > Cloud apps > Include > select All cloud apps (and don't exclude any apps).
  2. Under Access controls > Grant > select Grant access > check Require multi- factor authentication (and nothing else).
  3. Under Session check Sign-in frequency and enter the value determined by your organization.
  4. Check Persistent browser session then select Never persistent in the drop-down menu.
  5. Create.

NOTE: After creation ensure that the policy is set to enabled.

Usage

Run the control in your terminal:

powerpipe control run microsoft365_compliance.control.cis_v150_1_1_15

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run microsoft365_compliance.control.cis_v150_1_1_15 --share

SQL

This control uses a named query:

azuread_signin_frequency_policy

Tags

category = Compliance
cis = true
cis_item_id = 1.1.15
cis_level = 1
cis_section_id = 1.1
cis_type = manual
cis_version = v1.5.0
microsoft_365_license = E3
plugin = microsoft365
service = Azure/ActiveDirectory