Query: azuread_admin_user_mfa_enabled

Usage

powerpipe query microsoft365_compliance.query.azuread_admin_user_mfa_enabled

Steampipe Tables

azuread_conditional_access_policy

azuread_directory_role

azuread_user

SQL

with users_having_admin_roles as (
  select
    array_agg(role_template_id) as rid
  from
    azuread_directory_role
  where
    display_name like '%Administrator'
),
policy_with_mfa as (
  select
    tenant_id,
    count(p.*)
  from
    azuread_conditional_access_policy as p,
    users_having_admin_roles as a
  where
    p.built_in_controls ?& array['mfa']
    and (p.users -> 'includeRoles')::jsonb ?| (a.rid)
    and jsonb_array_length(p.users -> 'excludeUsers') < 1
  group by
    tenant_id
),
tenant_list as (
  select
    distinct on (tenant_id) tenant_id,
    _ctx
  from
    azuread_user
)
select
  t.tenant_id as resource,
  case
    when (select count from policy_with_mfa where tenant_id = t.tenant_id) > 0 then 'ok'
    else 'alarm'
  end as status,
  case
    when (select count from policy_with_mfa where tenant_id = t.tenant_id) > 0 then t.tenant_id || ' has MFA enabled for all users in administrative roles.'
    else t.tenant_id || ' has MFA disabled for all users in administrative roles.'
  end as reason
  , t.tenant_id as tenant_id
from
  tenant_list as t;

Controls

The query is being used by the following controls: