Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-azure-compliance
Overview
16Dashboards
1651Benchmarks
486Queries
8Variables
GitHub

Control: Ensure Multi-factor Authentication is required for Azure Management

Description

For designated users, they will be prompted to use their multi-factor authentication (MFA) process on logins.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.iam_conditional_access_mfa_enabled

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.iam_conditional_access_mfa_enabled --share

SQL

This control uses a named query:

with distinct_tenant as (
  select
    distinct tenant_id,
    subscription_id,
    _ctx
  from
    azure_tenant
)
select
  p.id as resource,
  case
    when p.built_in_controls @> '["mfa"]' then 'ok'
    else 'alarm'
  end as status,
  case
    when p.built_in_controls @> '["mfa"]' then p.display_name || ' MFA enabled.'
    else p.display_name || ' MFA disabled.'
  end as reason,
  t.tenant_id
  
from
  distinct_tenant as t,
  azuread_conditional_access_policy as p;

Tags

service = Azure/ActiveDirectory