Benchmark: 1.2 Conditional Access
Overview
For most Azure tenants, and certainly for organizations with a significant use of Azure Active Directory, Conditional Access policies are recommended and preferred. To use conditional access policies, a licensing plan is required, and Security Defaults must be disabled.
Conditional Access requires one of the following plans:
- Azure Active Directory Premium P1 or P2
- Microsoft 365 Business Premium
- Microsoft 365 E3 or E5
- Enterprise Mobility & Security E3 or E5
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-azure-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select 1.2 Conditional Access.
Run this benchmark in your terminal:
powerpipe benchmark run azure_compliance.benchmark.cis_v150_1_2Snapshot and share results via Turbot Pipes:
powerpipe benchmark run azure_compliance.benchmark.cis_v150_1_2 --shareControls
- 1.2.1 Ensure Trusted Locations Are Defined
- 1.2.2 Ensure that an exclusionary Geographic Access Policy is considered
- 1.2.3 Ensure that A Multi-factor Authentication Policy Exists for Administrative Groups
- 1.2.4 Ensure that A Multi-factor Authentication Policy Exists for All Users
- 1.2.5 Ensure Multi-factor Authentication is Required for Risky Sign-ins
- 1.2.6 Ensure Multi-factor Authentication is Required for Azure Management