Control: Ensure that multifactor authentication is required for Windows Azure Service Management API
Description
This recommendation ensures that users accessing the Windows Azure Service Management API (i.e. Azure Powershell, Azure CLI, Azure Resource Manager API, etc.) are required to use multi-factor authentication (MFA) credentials when accessing resources through the Windows Azure Service Management API.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.ad_mfa_service_mgmt_apiSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.ad_mfa_service_mgmt_api --shareSQL
This control uses a named query:
with distinct_tenant as ( select distinct tenant_id, display_name, subscription_id, _ctx from azure_tenant),conditional_access_policy as ( select tenant_id, count(*) as conditional_access_policy_count from azuread_conditional_access_policy where users -> 'includeUsers' ? 'All' and applications -> 'includeApplications' ? '797f4846-ba00-4fd7-ba43-dac1f8f63013' and built_in_controls @> '[1]'::jsonb and state = 'enabled' group by tenant_id)select t.tenant_id as resource, case when conditional_access_policy_count > 0 then 'ok' else 'alarm' end as status, case when conditional_access_policy_count > 0 then t.display_name || ' has conditional access policy which requires MFA for the Service Management API.' else t.display_name || ' does not have a conditional access policy which requires MFA for the Service Management API.' end as reason, t.tenant_id from distinct_tenant as t left join conditional_access_policy as p on p.tenant_id = t.tenant_id;