Control: 1.1.21 Ensure 'Microsoft Azure Management' is limited to administrative roles
Description
The Microsoft Azure Management application governs various Azure services and can be secured through the implementation of a Conditional Access policy. This policy can restrict specific user accounts from accessing the related portals and applications.
When Conditional Access policy is targeted to the Microsoft Azure Management application, within the Conditional Access policy app picker the policy will be enforced for tokens issued to application IDs of a set of services closely bound to the portal.
- Azure Resource Manager
- Azure portal, which also covers the Microsoft Entra admin center
- Azure Data Lake
- Application Insights API
- Log Analytics API
Microsoft Azure Management
should be restricted to specific pre-determined administrative roles.
NOTE: Blocking Microsoft Azure Management will prevent non-privileged users from signing into most portals other than Microsoft 365 Defender and Microsoft Purview.
Blocking sign-in to Azure Management applications and portals enhances security of sensitive data by restricting access to privileged users. This mitigates potential exposure due to administrative errors or software vulnerabilities, as well as acting as a defense in depth measure against security breaches.
Remediation
To enable Microsoft Azure Management restrictions:
- Navigate to
Microsoft Entra admin center
https://entra.microsoft.com/. - Click to expand
Protect & Secure
selectConditional Access
. - Click
New Policy
and then name the policy. - Select
Users
>Include
>All Users
. - Select
Users
>Exclude
>Directory roles
and select only administrative roles. See audit section for more information. - Select
Cloud apps or actions
>Select apps
>Select
then click the box next toMicrosoft Azure Management
. - Click
Select
. - Select
Grant
>Block access
and clickSelect
. - Ensure
Enable Policy
isOn
then clickCreate
.
Default Value: No - Non-administrators can access the Azure AD administration portal.
Usage
Run the control in your terminal:
powerpipe control run microsoft365_compliance.control.cis_v200_1_1_21
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run microsoft365_compliance.control.cis_v200_1_1_21 --share
SQL
This control uses a named query:
with users_having_admin_roles as ( select array_agg(role_template_id) as rid from azuread_directory_role where display_name = 'Global Administrator'),policy_with_block as ( select tenant_id from azuread_conditional_access_policy as p, users_having_admin_roles as a where p.built_in_controls ?& array['block'] and (p.users -> 'excludeRoles')::jsonb ?| (a.rid) and (p.users -> 'includeUsers')::jsonb ?& array['All'] group by tenant_id),tenant_list as ( select distinct on (tenant_id) tenant_id, id, display_name, _ctx from azuread_user)select t.tenant_id as resource, case when (select count(*) from policy_with_block where tenant_id = t.tenant_id) > 0 then 'ok' else 'alarm' end as status, case when (select count(*) from policy_with_block where tenant_id = t.tenant_id) > 0 then t.tenant_id || ' limited to administrative roles.' else t.tenant_id || ' not limited to administrative roles.' end as reason , t.tenant_id as tenant_idfrom tenant_list as t;