Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-azure-compliance
Overview
16Dashboards
1651Benchmarks
486Queries
8Variables
GitHub

Control: 5.25 Ensure that 'Subscription leaving Microsoft Entra tenant' and 'Subscription entering Microsoft Entra tenant' is set to 'Permit no one'

Description

Users who are set as subscription owners are able to make administrative changes to the subscriptions and move them into and out of Microsoft Entra ID.

Remediation

Remediate from Azure Portal

  1. From the Azure Portal Home select the portal menu.
  2. Select Subscriptions.
  3. In the Advanced options drop-down menu, select Manage Policies.
  4. Set Subscription leaving Microsoft Entra tenant and Subscription. entering Microsoft Entra tenant to Permit no one.
  5. Click Save changes.

Default Value

By default Subscription leaving Microsoft Entra tenant and Subscription entering Microsoft Entra tenant are set to Allow everyone (default).

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.cis_v500_5_25

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.cis_v500_5_25 --share

SQL

This control uses a named query:

select
  id as resource,
  'info' as status,
  'Manual verification required.' as reason,
  display_name as subscription
from
  azure_subscription;

Tags

category = Compliance
cis = true
cis_item_id = 5.25
cis_level = 2
cis_section_id = 5
cis_type = manual
cis_version = v5.0.0
plugin = azure
service = Azure