Benchmark: 1.2 Conditional Access

Overview

For most Azure tenants, and certainly for organizations with a significant use of Microsoft Entra ID, Conditional Access policies are recommended and preferred. To use conditional access policies, a licensing plan is required, and Security Defaults must be disabled.

Conditional Access requires one of the following plans:

• Microsoft Entra ID Premium P1 or P2
• Microsoft 365 Business Premium
• Microsoft 365 E3 or E5
• Microsoft 365 F1, F3, F5 Security and F5 Security + Compliance
• Enterprise Mobility & Security E3 or E5.

Usage

Install the mod:

mkdir dashboards
cd dashboards
powerpipe mod init
powerpipe mod install github.com/turbot/steampipe-mod-azure-compliance

Start the Powerpipe server:

steampipe service start
powerpipe server

Open http://localhost:9033 in your browser and select 1.2 Conditional Access.

Run this benchmark in your terminal:

powerpipe benchmark run azure_compliance.benchmark.cis_v210_1_2

Snapshot and share results via Turbot Pipes:

powerpipe benchmark run azure_compliance.benchmark.cis_v210_1_2 --share

Controls

• 1.2.1 Ensure Trusted Locations Are Defined
• 1.2.2 Ensure that an exclusionary Geographic Access Policy is considered
• 1.2.3 Ensure that A Multi-factor Authentication Policy Exists for Administrative Groups
• 1.2.4 Ensure that A Multi-factor Authentication Policy Exists for All Users
• 1.2.5 Ensure Multi-factor Authentication is Required for Risky Sign-ins
• 1.2.6 Ensure Multifactor Authentication is Required for Windows Azure Service Management API
• 1.2.7 Ensure Multifactor Authentication is Required to access Microsoft Admin Portals

Tags