🚀Launch Week 04, May 13th - 17th, 2024!🚀
Powerpipe Hub 
Hub
Mods
turbot/microsoft365_compliance
Overview
4Dashboards
80Controls
21Queries
2Variables
GitHub
Loading controls...

Control: 1.1.3 Ensure Sign-in frequency is enabled and browser sessions are not persistent for Administrative users

Description

In complex deployments, organizations might have a need to restrict authentication sessions. Conditional Access policies allow for the targeting of specific user accounts. Some scenarios might include:

  • Resource access from an unmanaged or shared device
  • Access to sensitive information from an external network
  • High-privileged users
  • Business-critical applications

Ensure Sign-in frequency does not exceed 4 hours for E3 tenants, or 24 hours for E5 tenants using Privileged Identity Management.

Ensure Persistent browser session is set to Never persist.

NOTE: This CA policy can be added to the previous CA policy in this benchmark "Ensure multifactor authentication is enabled for all users in administrative roles"

Forcing a time out for MFA will help ensure that sessions are not kept alive for an indefinite period of time, ensuring that browser sessions are not persistent will help in prevention of drive-by attacks in web browsers, this also prevents creation and saving of session cookies leaving nothing for an attacker to take.

Remediation

To configure Sign-in frequency and browser sessions persistence for Administrative users:

  1. Navigate to Microsoft Entra admin center https://entra.microsoft.com/.
  2. Click to expand Azure Active Directory > Applications Select Enterprise applications.
  3. Under Security, select Conditional Access.
  4. Click New policy.
  5. Click Users and groups.
  6. Under Include select Select users and groups and then select Directory roles.
  7. At a minimum, select the roles in the section below:
  8. Go to Cloud apps or actions > Cloud apps > Include > select All cloud apps (and don't exclude any apps).
  9. Under Access controls > Grant > select Grant access > check Require multi- factor authentication (and nothing else).
  10. Under Session select Sign-in frequency and set to at most 4 hours for E3 tenants. E5 tenants with PIM can be set to a maximum value of 24 hours.
  11. Check Persistent browser session then select Never persistent in the drop- down menu.
  12. For Enable Policy select On and click Save.

At minimum these directory roles should be included for MFA:

  • Application administrator
  • Authentication administrator
  • Billing administrator
  • Cloud application administrator
  • Conditional Access administrator
  • Exchange administrator
  • Global administrator
  • Global reader
  • Helpdesk administrator
  • Password administrator
  • Privileged authentication administrator
  • Privileged role administrator
  • Security administrator
  • SharePoint administrator
  • User administrator

Default Value: The Azure Active Directory (Azure AD) default configuration for user sign-in frequency is a rolling window of 90 days.

Usage

Run the control in your terminal:

powerpipe control run microsoft365_compliance.control.cis_v200_1_1_3

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run microsoft365_compliance.control.cis_v200_1_1_3 --share

SQL

This control uses a named query:

azuread_signin_frequency_policy

Tags

category = Compliance
cis = true
cis_item_id = 1.1.3
cis_level = 1
cis_section_id = 1.1
cis_type = manual
cis_version = v2.0.0
microsoft_365_license = E3
plugin = microsoft365
service = Azure/ActiveDirectory