Benchmark: 6.2 Conditional Access
Overview
For most Azure tenants, and certainly for organizations with a significant use of Microsoft Entra ID, Conditional Access policies are recommended and preferred. To use Conditional Access Policies, a licensing plan is required, and Security Defaults must be disabled. Because of the licensing requirement, all Conditional Access policies are assigned a profile of "Level 2."
Conditional Access requires one of the following plans:
- Microsoft Entra ID P1 or P2
- Microsoft 365 Business Premium
- Microsoft 365 E3 or E5
- Microsoft 365 F1, F3, F5 Security and F5 Security + Compliance
- Enterprise Mobility & Security E3 or E5.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-azure-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select 6.2 Conditional Access.
Run this benchmark in your terminal:
powerpipe benchmark run azure_compliance.benchmark.cis_v400_6_2Snapshot and share results via Turbot Pipes:
powerpipe benchmark run azure_compliance.benchmark.cis_v400_6_2 --shareControls
- 6.2.1 Ensure that 'trusted locations' are defined
- 6.2.2 Ensure that an exclusionary geographic Conditional Access policy is considered
- 6.2.3 Ensure that an exclusionary device code flow policy is considered
- 6.2.4 Ensure that a multifactor authentication policy exists for all users
- 6.2.5 Ensure that multifactor authentication is required for risky sign-ins
- 6.2.6 Ensure that multifactor authentication is required for Windows Azure Service Management API
- 6.2.7 Ensure that multifactor authentication is required to access Microsoft Admin Portals