Benchmark: 6 Identity Services
Overview
To better understand the relationship between the Foundations Benchmark and Services Benchmarks, please read the "Introduction" section of this document.
This section covers security best practice recommendations for products in the Azure Identity services category.
Azure Product Directory Reference: https://azure.microsoft.com/en-us/products#identity
FEEDBACK REQUEST: Is there a specific service or recommendation in this section that you'd like to see addressed or improved? Let us know by making a ticket or starting a discussion in the CIS Microsoft Azure Community (https://workbench.cisecurity.org/communities/72).
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-azure-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select 6 Identity Services.
Run this benchmark in your terminal:
powerpipe benchmark run azure_compliance.benchmark.cis_v400_6Snapshot and share results via Turbot Pipes:
powerpipe benchmark run azure_compliance.benchmark.cis_v400_6 --shareBenchmarks
Controls
- 6.4 Ensure that 'Restrict non-admin users from creating tenants' is set to 'Yes'
- 6.5 Ensure that 'Number of methods required to reset' is set to '2'
- 6.6 Ensure that account 'Lockout threshold' is less than or equal to '10'
- 6.7 Ensure that account 'Lockout duration in seconds' is greater than or equal to '60'
- 6.8 Ensure that a 'Custom banned password list' is set to 'Enforce'
- 6.9 Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0'
- 6.10 Ensure that 'Notify users on password resets?' is set to 'Yes'
- 6.11 Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes'
- 6.12 Ensure that 'User consent for applications' is set to 'Do not allow user consent'
- 6.13 Ensure that 'User consent for applications' is set to 'Allow user consent for apps from verified publishers, for selected permissions'
- 6.14 Ensure that 'Users can register applications' is set to 'No'
- 6.15 Ensure that 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects'
- 6.16 Ensure that 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users'
- 6.17 Ensure that 'Restrict access to Microsoft Entra admin center' is set to 'Yes'
- 6.18 Ensure that 'Restrict user ability to access groups features in My Groups' is set to 'Yes'
- 6.19 Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No'
- 6.20 Ensure that 'Owners can manage group membership requests in My Groups' is set to 'No'
- 6.21 Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No'
- 6.22 Ensure that 'Require Multifactor Authentication to register or join devices with Microsoft Entra' is set to 'Yes'
- 6.23 Ensure that no custom subscription administrator roles exist
- 6.24 Ensure that a custom role is assigned permissions for administering resource locks
- 6.25 Ensure that 'Subscription leaving Microsoft Entra tenant' and 'Subscription entering Microsoft Entra tenant' is set to 'Permit no one'
- 6.26 Ensure fewer than 5 users have global administrator assignment