Control: Ensure 'Authentication type' is set to 'Azure Active Directory' only for Azure VPN Gateway point-to-site configuration
Description
VPN Gateway point-to-site connections should use Azure Active Directory authentication for enhanced security and centralized identity management.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.network_virtual_network_gateway_aad_onlySnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.network_virtual_network_gateway_aad_only --shareSQL
This control uses a named query:
select g.id as resource, case when vpn_client_configuration -> 'vpnAuthenticationTypes' @> '["AAD"]'::jsonb and jsonb_array_length(vpn_client_configuration -> 'vpnAuthenticationTypes') = 1 then 'ok' when jsonb_array_length(vpn_client_configuration -> 'vpnAuthenticationTypes') < 1 then 'skip' else 'alarm' end as status, case when vpn_client_configuration -> 'vpnAuthenticationTypes' @> '["AAD"]'::jsonb and jsonb_array_length(vpn_client_configuration -> 'vpnAuthenticationTypes') = 1 then g.name || ' VPN authentication type is set to only Azure Active Directory.' when jsonb_array_length(vpn_client_configuration -> 'vpnAuthenticationTypes') < 1 then g.name || ' has no point-to-site configuration defined.' else g.name || ' VPN authentication type is not restricted to only Azure Active Directory.' end as reason , g.resource_group as resource_group , sub.display_name as subscriptionfrom azure_virtual_network_gateway as g left join azure_subscription as sub on g.subscription_id = sub.subscription_id;