Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-azure-compliance
Overview
16Dashboards
1651Benchmarks
486Queries
8Variables
GitHub

Control: 5.2.8 Ensure a Token Protection Conditional Access policy is considered

Description

This recommendation ensures that issued tokens are only issued to the intended device.

When properly configured, conditional access can aid in preventing attacks involving token theft, via hijacking or reply, as part of the attack flow. Although currently considered a rare event, the impact from token impersonation can be severe.

Remediation

Remediate from Azure Portal

  1. Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.
  2. Browse to Protection > Conditional Access > Policies.
  3. Select New policy.
  4. Give your policy a name.
  5. Under Assignments, select Users or workload identities.
    1. Under Include, select the users or groups to apply this policy.
    2. Under Exclude, select Users and groups and choose your organization's emergency access or break-glass accounts (if applicable).
  6. Under Target resources > Resources > Include > Select resources
    1. Under Select, select the following applications:
      1. Office 365 Exchange Online
      2. Office 365 SharePoint Online
    2. Choose Select
  7. Under Conditions:
    1. Under Device platforms
      1. Set Configure to Yes.
      2. Include > Select device platforms > Windows.
      3. Select Done.
    2. Under Client apps:
      1. Set Configure to Yes
      2. Under Modern authentication clients, only select Mobile apps and desktop clients.
      3. Select Done
  8. Under Access controls > Session, select Require token protection for sign-in sessions and select Select.
  9. Confirm your settings and set Enable policy to On.
  10. Select Create to enable your policy.

Default Value

A Token Protection Conditional Access policy does not exist by default.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.cis_v500_5_2_8

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.cis_v500_5_2_8 --share

SQL

This control uses a named query:

select
  id as resource,
  'info' as status,
  'Manual verification required.' as reason,
  display_name as subscription
from
  azure_subscription;

Tags

category = Compliance
cis = true
cis_item_id = 5.2.8
cis_level = 2
cis_section_id = 5.2
cis_type = manual
cis_version = v5.0.0
plugin = azure
service = Azure