turbot/microsoft365_compliance

Query: azuread_all_user_mfa_enabled

Usage

powerpipe query microsoft365_compliance.query.azuread_all_user_mfa_enabled

SQL

with users_having_admin_roles as (
select
array_agg(role_template_id) as rid
from
azuread_directory_role
),
policy_with_mfa as (
select
tenant_id,
count(p.*)
from
azuread_conditional_access_policy as p,
users_having_admin_roles as a
where
p.built_in_controls ?& array['mfa']
and (p.users -> 'includeRoles')::jsonb ?| (a.rid)
and jsonb_array_length(p.users -> 'excludeUsers') < 1
group by
tenant_id
),
tenant_list as (
select
distinct on (tenant_id) tenant_id,
_ctx,
id,
display_name
from
azuread_user
)
select
t.tenant_id as resource,
case
when (select count from policy_with_mfa where tenant_id = t.tenant_id) > 0 then 'ok'
else 'alarm'
end as status,
case
when (select count from policy_with_mfa where tenant_id = t.tenant_id) > 0 then t.tenant_id || ' has MFA enabled for all users.'
else t.tenant_id || ' has MFA disabled for all users.'
end as reason
, t.tenant_id as tenant_id
from
tenant_list as t;

Controls

The query is being used by the following controls: