v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/microsoft365_compliance
Overview
4Dashboards
80Controls
21Queries
2Variables
GitHub

Query: azuread_password_protection_enabled

Usage

powerpipe query microsoft365_compliance.query.azuread_password_protection_enabled

Steampipe Tables

azuread_directory_setting
azuread_user
Azure Active Directory plugin

SQL

with enable_banned_password_check_on_premises_settings as (
  select
    tenant_id,
    id
  from
    azuread_directory_setting
  where
    display_name = 'Password Rule Settings'
    and (name = 'EnableBannedPasswordCheckOnPremises' and value = 'True')
), banned_password_check_on_premise_mode_settings as (
  select
    tenant_id,
    id
  from
  azuread_directory_setting
  where
    display_name = 'Password Rule Settings'
    and (name = 'BannedPasswordCheckOnPremisesMode' and value = 'Enforce')
),
tenant_list as (
  select
    distinct on (tenant_id) tenant_id,
    _ctx
  from
    azuread_user
)
select
  t.tenant_id as resource,
  case
    when (e.tenant_id is not null) and (b.tenant_id is not null) then 'ok'
    else 'alarm'
  end as status,
  case
    when (e.tenant_id is not null) and (b.tenant_id is not null) then t.tenant_id || ' has password protection enabled.'
    else t.tenant_id || ' has password protection disabled.'
  end as reason
  , t.tenant_id as tenant_id
from
  tenant_list as t
  left join enable_banned_password_check_on_premises_settings as e on e.tenant_id = t.tenant_id
  left join banned_password_check_on_premise_mode_settings as b on b.tenant_id = t.tenant_id;

Controls

The query is being used by the following controls: