🚀Launch Week 07, January 27th - 31st, 2025🚀
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-microsoft365-compliance
Overview
4Dashboards
80Benchmarks
21Queries
2Variables
GitHub

Control: 5.2.2.8 Ensure 'Microsoft Azure Management' is limited to administrative roles

Description

The Microsoft Azure Management application governs various Azure services and can be secured through the implementation of a Conditional Access policy. This policy can restrict specific user accounts from accessing the related portals and applications.

The Microsoft Azure Management application governs various Azure services and can be secured through the implementation of a Conditional Access policy. This policy can restrict specific user accounts from accessing the related portals and applications.

  • Azure Resource Manager
  • Azure portal, which also covers the Microsoft Entra admin center
  • Azure Data Lake
  • Application Insights API
  • Log Analytics API

Microsoft Azure Management should be restricted to specific pre-determined administrative roles.

Note: Blocking Microsoft Azure Management will prevent non-privileged users from signing into most portals other than Microsoft 365 Defender and Microsoft Purview.

Blocking sign-in to Azure Management applications and portals enhances security of sensitive data by restricting access to privileged users. This mitigates potential exposure due to administrative errors or software vulnerabilities, as well as acting as a defense in depth measure against security breaches.

Remediation

To enable Microsoft Azure Management restrictions:

  1. Navigate to the Microsoft Entra admin center https://entra.microsoft.com.
  2. Click expand Protection > Conditional Access select Policies.
  3. Click New Policy and then name the policy.
  4. Select Users > Include > All Users.
  5. Select Users > Exclude > Directory roles and select only administrative roles. See audit section for more information.
  6. Select Cloud apps or actions > Select apps > Select then click the box next to Microsoft Azure Management.
  7. Click Select.
  8. Select Grant > Block access and click Select.
  9. Ensure Enable Policy is On then click Create.

Warning: Exclude Global Administrator at a minimum to avoid being locked out. Report-only is a good option to use when testing any Conditional Access policy for the first time.

Default Value

No - Non-administrators can access the Azure AD administration portal.

Usage

Run the control in your terminal:

powerpipe control run microsoft365_compliance.control.cis_v300_5_2_2_8

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run microsoft365_compliance.control.cis_v300_5_2_2_8 --share

SQL

This control uses a named query:

with users_having_admin_roles as (
  select
    array_agg(role_template_id) as rid
  from
    azuread_directory_role
  where
    display_name = 'Global Administrator'
),
policy_with_block as (
  select
    tenant_id
  from
    azuread_conditional_access_policy as p,
    users_having_admin_roles as a
  where
    p.built_in_controls ?& array['block']
    and (p.users -> 'excludeRoles')::jsonb ?| (a.rid)
    and (p.users -> 'includeUsers')::jsonb ?& array['All']
  group by
    tenant_id
),
tenant_list as (
  select
    distinct on (tenant_id) tenant_id,
    id,
    display_name,
    _ctx
  from
    azuread_user
)
select
  t.tenant_id as resource,
  case
    when (select count(*) from policy_with_block where tenant_id = t.tenant_id) > 0 then 'ok'
    else 'alarm'
  end as status,
  case
    when (select count(*) from policy_with_block where tenant_id = t.tenant_id) > 0 then t.tenant_id || ' limited to administrative roles.'
    else t.tenant_id || ' not limited to administrative roles.'
  end as reason
  , t.tenant_id as tenant_id
from
  tenant_list as t;

Tags

category = Compliance
cis = true
cis_item_id = 5.2.2.8
cis_level = 1
cis_section_id = 5.2.2
cis_type = manual
cis_version = v3.0.0
microsoft_365_license = E3
plugin = microsoft365
service = Azure/ActiveDirectory