Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-azure-compliance
Overview
16Dashboards
1651Benchmarks
486Queries
8Variables
GitHub

Control: Ensure that 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles [...]' or 'No one [..]'

Description

Restrict invitations to either users with specific administrative roles or no one.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.ad_authorization_policy_guest_invite_restricted

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.ad_authorization_policy_guest_invite_restricted --share

SQL

This control uses a named query:

with distinct_tenant as (
  select
    distinct tenant_id,
    display_name,
    subscription_id,
    _ctx
  from
    azure_tenant
)
select
  id as resource,
  case
    when allow_invites_from in ('adminsAndGuestInviters', 'none') then 'ok'
    else 'alarm'
  end as status,
  case
    when allow_invites_from = 'none'
      then t.display_name || ' guest invitations disabled (no one).'
    when allow_invites_from = 'adminsAndGuestInviters'
      then t.display_name || ' guest invitations restricted to specific admin roles.'
    else
      t.display_name || ' guest invitations are too permissive: allow_invites_from=' || coalesce(allow_invites_from, '<null>') || '.'
  end as reason,
  t.tenant_id
  
from
  distinct_tenant as t,
  azuread_authorization_policy;

Tags

service = Azure/ActiveDirectory