Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-azure-compliance
Overview
16Dashboards
1651Benchmarks
486Queries
8Variables
GitHub

Control: Ensure that account 'Lockout duration in seconds' is greater than or equal to '60'

Description

The account lockout duration value determines how long an account retains the status of lockout, and therefore how long before a user can continue to attempt to login after passing the lockout threshold.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.ad_account_duration_min_60_seconds

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.ad_account_duration_min_60_seconds --share

SQL

This control uses a named query:

with distinct_tenant as (
  select
    distinct tenant_id,
    display_name,
    subscription_id,
    _ctx
  from
    azure_tenant
)
select
  id as resource,
  case
    when (value)::int >= 60 then 'ok'
    else 'alarm'
  end as status,
  case
    when (value)::int >= 60 then t.display_name || ' lockout duration is at least 60 seconds.'
    else
      t.display_name || ' lockout duration is less than 60 seconds.'
  end as reason,
  t.tenant_id
  
from
  distinct_tenant as t,
  azuread_directory_setting
where
  name = 'LockoutDurationInSeconds';

Tags

service = Azure/ActiveDirectory