Benchmark: 2.1 Security Defaults (Per-User MFA)
Overview
IMPORTANT: The Azure "Security Defaults" recommendations represent an entry-level set of recommendations (such as Multi-Factor Authentication) which will be relevant to organizations and tenants that are either just starting to use Azure, or are only utilizing a bare minimum feature set, and rely on the free license tier of Microsoft Entra ID. Security Defaults recommendations are intended to ensure that these use cases are still capable of establishing a strong baseline of secure configuration.
If your subscription is licensed to use Microsoft Entra ID P1 or P2, it is strongly recommended that the "Security Defaults" section (this section and the recommendations therein) be bypassed in favor of the use of "Conditional Access."
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-azure-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select 2.1 Security Defaults (Per-User MFA).
Run this benchmark in your terminal:
powerpipe benchmark run azure_compliance.benchmark.cis_v300_2_1Snapshot and share results via Turbot Pipes:
powerpipe benchmark run azure_compliance.benchmark.cis_v300_2_1 --shareControls
- 2.1.1 Ensure Security Defaults is enabled on Microsoft Entra ID
- 2.1.2 Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users
- 2.1.3 Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users
- 2.1.4 Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is Disabled