ad_account_duration_min_60_secondsad_account_lockout_threshold_max_10ad_admin_portals_require_mfaad_all_user_mfa_enabledad_authorization_policy_guest_invite_restrictedad_authorization_policy_guest_user_access_restrictedad_authorization_policy_user_consent_disallowedad_authorization_policy_user_consent_verified_publishers_selected_permissionsad_custom_banned_password_enforcedad_disabled_user_no_role_assignmentsad_guest_user_reviewed_monthlyad_m365_group_creation_disabledad_manual_controlad_mfa_service_mgmt_apiad_require_mfa_for_device_joinad_security_defaults_policy_enabledapimanagement_service_client_certificate_enabledapimanagement_service_with_virtual_networkapp_configuration_encryption_enabledapp_configuration_private_link_usedapp_configuration_sku_standardapp_service_environment_internal_encryption_enabledapplication_gateway_http2_enabledapplication_gateway_min_tls_1_2application_gateway_waf_enabledapplication_gateway_waf_uses_specified_modeapplication_insights_block_log_ingestion_and_querying_from_publicapplication_insights_linked_to_log_analytics_workspaceappservice_api_app_client_certificates_onappservice_api_app_cors_no_starappservice_api_app_ftps_enabledappservice_api_app_latest_tls_versionappservice_api_app_remote_debugging_disabledappservice_api_app_use_httpsappservice_api_app_uses_managed_identityappservice_authentication_enabledappservice_ftp_deployment_disabledappservice_function_app_authentication_onappservice_function_app_client_certificates_onappservice_function_app_cors_no_starappservice_function_app_ftps_enabledappservice_function_app_latest_http_versionappservice_function_app_latest_java_versionappservice_function_app_latest_python_versionappservice_function_app_latest_tls_versionappservice_function_app_only_https_accessibleappservice_function_app_remote_debugging_disabledappservice_function_app_restrict_public_accesappservice_function_app_uses_managed_identityappservice_plan_minimum_skuappservice_web_app_always_onappservice_web_app_client_certificates_onappservice_web_app_cors_no_starappservice_web_app_diagnostic_log_category_http_log_enabledappservice_web_app_diagnostic_logs_enabledappservice_web_app_failed_request_tracing_enabledappservice_web_app_ftps_enabledappservice_web_app_health_check_enabledappservice_web_app_http_logs_enabledappservice_web_app_incoming_client_cert_onappservice_web_app_latest_dotnet_framework_versionappservice_web_app_latest_http_versionappservice_web_app_latest_java_versionappservice_web_app_latest_php_versionappservice_web_app_latest_python_versionappservice_web_app_latest_tls_versionappservice_web_app_register_with_active_directory_enabledappservice_web_app_remote_debugging_disabledappservice_web_app_slot_use_httpsappservice_web_app_use_httpsappservice_web_app_use_virtual_service_endpointappservice_web_app_uses_managed_identityappservice_web_app_worker_more_than_onearc_compute_machine_linux_log_analytics_agent_installedarc_compute_machine_windows_log_analytics_agent_installedautomation_account_variable_encryption_enabledbatch_account_encrypted_with_cmkbatch_account_identity_provider_enabledbatch_account_logging_enabledcognitive_account_encrypted_with_cmkcognitive_account_private_link_usedcognitive_account_public_network_access_disabledcognitive_account_restrict_public_accesscognitive_service_local_auth_disabledcompute_disk_access_uses_private_linkcompute_disk_data_access_auth_mode_enabledcompute_disk_public_access_disabledcompute_disk_unattached_encrypted_with_cmkcompute_os_and_data_disk_encrypted_with_cmkcompute_os_and_data_disk_encrypted_with_cmk_and_platform_managedcompute_unattached_disk_encrypted_with_cmkcompute_vm_account_with_password_linuxcompute_vm_and_sacle_set_encryption_at_host_enabledcompute_vm_attached_with_networkcompute_vm_data_and_os_disk_uses_managed_diskcompute_vm_disaster_recovery_enabledcompute_vm_guest_configuration_installedcompute_vm_guest_configuration_installed_linuxcompute_vm_guest_configuration_installed_windowscompute_vm_guest_configuration_with_no_managed_identitycompute_vm_guest_configuration_with_system_assigned_managed_identitycompute_vm_guest_configuration_with_user_and_system_assigned_managed_identitycompute_vm_jit_access_protectedcompute_vm_log_analytics_agent_installedcompute_vm_log_analytics_agent_installed_windowscompute_vm_malware_agent_automatic_upgrade_enabledcompute_vm_malware_agent_installedcompute_vm_max_password_age_70_days_windowscompute_vm_meet_security_baseline_requirements_linuxcompute_vm_meet_security_baseline_requirements_windowscompute_vm_min_password_age_1_day_windowscompute_vm_min_password_length_14_windowscompute_vm_network_traffic_data_collection_linux_agent_installedcompute_vm_network_traffic_data_collection_windows_agent_installedcompute_vm_password_complexity_setting_enabled_windowscompute_vm_passwords_stored_using_reversible_encryption_windowscompute_vm_remote_access_restrictedcompute_vm_remote_access_restricted_all_portscompute_vm_restrict_previous_24_passwords_resuse_windowscompute_vm_restrict_remote_connection_from_accounts_without_password_linuxcompute_vm_scale_set_automatic_upgrade_enabledcompute_vm_scale_set_boot_diagnostics_enabledcompute_vm_scale_set_log_analytics_agent_installedcompute_vm_scale_set_logging_enabledcompute_vm_scale_set_ssh_key_authentication_linuxcompute_vm_scale_set_uses_managed_diskscompute_vm_secure_communication_protocols_configuredcompute_vm_ssh_key_authentication_linuxcompute_vm_system_updates_installedcompute_vm_tcp_udp_access_restricted_internetcompute_vm_trust_launch_enabledcompute_vm_uses_azure_resource_managercompute_vm_utilizing_managed_diskcompute_vm_vulnerability_assessment_solution_enabledcompute_vm_windows_defender_exploit_guard_enabledcompute_windows_vm_secure_boot_enabledcontainer_instance_container_group_encrypted_using_cmkcontainer_instance_container_group_identity_provider_enabledcontainer_instance_container_group_in_virtual_networkcontainer_instance_container_group_secured_environment_variablecontainer_registry_admin_user_disabledcontainer_registry_encrypted_with_cmkcontainer_registry_geo_replication_enabledcontainer_registry_public_network_access_disabledcontainer_registry_quarantine_policy_enabledcontainer_registry_restrict_public_accesscontainer_registry_retention_policy_enabledcontainer_registry_trust_policy_enabledcontainer_registry_use_virtual_service_endpointcontainer_registry_uses_private_linkcosmosdb_account_encryption_at_rest_using_cmkcosmosdb_account_key_based_metadata_write_access_disabledcosmosdb_account_uses_aad_and_rbaccosmosdb_account_uses_private_linkcosmosdb_account_virtual_network_filter_enabledcosmosdb_account_with_firewall_rulescosmosdb_use_virtual_service_endpointdata_factory_encrypted_with_cmkdata_factory_public_network_access_disableddata_factory_uses_git_repositorydata_factory_uses_private_linkdatabox_edge_device_double_encryption_enableddatabricks_workspace_cmk_configureddatabricks_workspace_deployed_in_custom_vnetdatabricks_workspace_diagnostic_log_delivery_configureddatabricks_workspace_no_public_ip_enableddatabricks_workspace_subnet_with_nsg_configureddatalake_analytics_account_logging_enableddatalake_store_account_encryption_enableddatalake_store_account_logging_enabledeventgrid_domain_identity_provider_enabledeventgrid_domain_private_link_usedeventgrid_domain_restrict_public_accesseventgrid_topic_identity_provider_enabledeventgrid_topic_local_auth_enabledeventgrid_topic_private_link_usedeventhub_namespace_cmk_encryption_enabledeventhub_namespace_logging_enabledeventhub_namespace_private_link_usedeventhub_namespace_use_virtual_service_endpointfrontdoor_waf_enabledhdinsight_cluster_encrypted_at_rest_with_cmkhdinsight_cluster_encryption_at_host_enabledhdinsight_cluster_encryption_in_transit_enabledhealthcare_fhir_azure_api_encrypted_at_rest_with_cmkhealthcare_fhir_uses_private_linkhpc_cache_encrypted_with_cmkiam_conditional_access_mfa_enablediam_conditional_access_mfa_enabled_for_administratorsiam_conditional_access_trusted_location_configurediam_deprecated_accountiam_deprecated_account_with_owner_rolesiam_external_user_with_owner_roleiam_external_user_with_read_permissioniam_external_user_with_write_permissioniam_global_administrator_max_5iam_no_custom_roleiam_no_custom_subscription_owner_roles_creatediam_subscription_owner_between_2_and_3iam_subscription_owner_max_3iam_subscription_owner_more_than_1iam_subscriptions_with_custom_roles_no_overly_permissiveiam_user_access_administrator_role_restrictediam_user_consent_to_apps_accessing_data_on_their_behalf_disablediam_user_no_built_in_contributor_roleiam_user_not_allowed_to_create_security_groupiam_user_not_allowed_to_create_tenantsiam_user_not_allowed_to_register_applicationiot_hub_logging_enablediot_hub_private_link_usedkeyvault_certificate_validity_period_less_equal_12_monthskeyvault_firewall_enabledkeyvault_key_automatic_rotation_enabledkeyvault_key_expiration_setkeyvault_logging_enabledkeyvault_managed_hms_logging_enabledkeyvault_managed_hms_purge_protection_enabledkeyvault_public_network_access_disabledkeyvault_purge_protection_enabledkeyvault_rbac_enabledkeyvault_secret_expiration_setkeyvault_soft_delete_enabledkeyvault_vault_private_link_usedkeyvault_vault_public_network_access_disabledkeyvault_vault_recoverablekeyvault_vault_use_virtual_service_endpointkeyvault_with_non_rbac_key_expiration_setkeyvault_with_non_rbac_secret_expiration_setkeyvault_with_rbac_key_expiration_setkeyvault_with_rbac_secret_expiration_setkubernetes_cluster_add_on_azure_policy_enabledkubernetes_cluster_addon_azure_policy_enabledkubernetes_cluster_authorized_ip_range_definedkubernetes_cluster_http_application_routing_disabledkubernetes_cluster_key_vault_secret_rotation_enabledkubernetes_cluster_logging_enabledkubernetes_cluster_max_pod_50kubernetes_cluster_network_plugin_azurekubernetes_cluster_network_policy_enabledkubernetes_cluster_node_restrict_public_accesskubernetes_cluster_os_and_data_disks_encrypted_with_cmkkubernetes_cluster_restrict_public_accesskubernetes_cluster_sku_standardkubernetes_cluster_temp_disks_and_agent_node_pool_cache_encrypted_at_hostkubernetes_cluster_upgrade_channelkubernetes_cluster_upgraded_with_non_vulnerable_versionkubernetes_instance_rbac_enabledkusto_cluster_disk_encryption_enabledkusto_cluster_double_encryption_enabledkusto_cluster_encrypted_at_rest_with_cmkkusto_cluster_sku_with_slalog_analytics_workspace_block_log_ingestion_and_querying_from_publiclog_analytics_workspace_block_non_azure_ingestionlog_profile_enabled_for_all_subscriptionlogic_app_workflow_logging_enabledmachine_learning_workspace_encrypted_with_cmkmanual_controlmanual_control_hipaamariadb_server_geo_redundant_backup_enabledmariadb_server_private_link_usedmariadb_server_public_network_access_disabledmariadb_server_ssl_enabledmonitor_application_insights_configuredmonitor_diagnostic_settings_captures_proper_categoriesmonitor_log_alert_create_policy_assignmentmonitor_log_alert_create_update_nsgmonitor_log_alert_create_update_nsg_rulemonitor_log_alert_create_update_public_ip_addressmonitor_log_alert_create_update_security_solutionmonitor_log_alert_create_update_sql_servers_firewall_rulemonitor_log_alert_delete_nsgmonitor_log_alert_delete_nsg_rulemonitor_log_alert_delete_policy_assignmentmonitor_log_alert_delete_public_ip_addressmonitor_log_alert_delete_security_solutionmonitor_log_alert_delete_sql_servers_firewall_rulemonitor_log_alert_for_administrative_operationsmonitor_log_alert_service_healthmonitor_log_alert_sql_firewall_rulemonitor_log_profile_enabled_for_all_categoriesmonitor_log_profile_enabled_for_all_regionsmonitor_log_profile_retention_365_daysmonitor_logs_storage_container_insights_activity_logs_encrypted_with_byokmonitor_logs_storage_container_insights_activity_logs_not_public_accessiblemonitor_logs_storage_container_insights_operational_logs_encrypted_with_byokmonitor_logs_storage_container_insights_operational_logs_not_public_accessiblemssql_managed_instance_encryption_at_rest_using_cmkmssql_managed_instance_vulnerability_assessment_enabledmysql_db_server_geo_redundant_backup_enabledmysql_flexible_server_audit_logging_enabledmysql_flexible_server_audit_logging_events_connection_setmysql_flexible_server_min_tls_1_2mysql_flexible_server_ssl_enabledmysql_server_audit_logging_enabledmysql_server_audit_logging_events_connection_setmysql_server_encrypted_at_rest_using_cmkmysql_server_infrastructure_encryption_enabledmysql_server_min_tls_1_2mysql_server_private_link_usedmysql_server_public_network_access_disabledmysql_ssl_enablednetwork_bastion_host_min_1network_ddos_enablednetwork_interface_ip_forwarding_disablednetwork_lb_diagnostics_logs_enablednetwork_lb_no_basic_skunetwork_network_peering_connectednetwork_public_ip_no_basic_skunetwork_security_group_diagnostic_setting_deployednetwork_security_group_https_access_restrictednetwork_security_group_https_port_80_443_access_restrictednetwork_security_group_not_configured_gateway_subnetsnetwork_security_group_outbound_access_restrictednetwork_security_group_rdp_access_restrictednetwork_security_group_remote_access_restrictednetwork_security_group_restrict_inbound_icmp_portnetwork_security_group_restrict_inbound_tcp_port_135network_security_group_restrict_inbound_tcp_port_1433network_security_group_restrict_inbound_tcp_port_20network_security_group_restrict_inbound_tcp_port_21network_security_group_restrict_inbound_tcp_port_23network_security_group_restrict_inbound_tcp_port_25network_security_group_restrict_inbound_tcp_port_3306network_security_group_restrict_inbound_tcp_port_4333network_security_group_restrict_inbound_tcp_port_445network_security_group_restrict_inbound_tcp_port_53network_security_group_restrict_inbound_tcp_port_5432network_security_group_restrict_inbound_tcp_port_5500network_security_group_restrict_inbound_tcp_port_5900network_security_group_restrict_inbound_udp_port_137network_security_group_restrict_inbound_udp_port_138network_security_group_restrict_inbound_udp_port_1434network_security_group_restrict_inbound_udp_port_445network_security_group_restrict_inbound_udp_port_53network_security_group_ssh_access_restrictednetwork_security_group_subnet_associatednetwork_security_group_udp_service_restrictednetwork_sg_flowlog_enablednetwork_sg_flowlog_retention_period_greater_than_90network_virtual_network_gateway_aad_onlynetwork_virtual_network_gateway_no_basic_skunetwork_virtual_network_watcher_flow_log_retention_90_daysnetwork_virtual_network_watcher_flow_log_send_to_log_analyticsnetwork_watcher_enablednetwork_watcher_flow_log_enablednetwork_watcher_flow_log_traffic_analytics_enablednetwork_watcher_in_regions_with_virtual_networknsg_network_watcher_flow_log_send_to_log_analyticspostgres_db_server_allow_access_to_azure_services_disabledpostgres_db_server_connection_throttling_onpostgres_db_server_geo_redundant_backup_enabledpostgres_db_server_latest_tls_versionpostgres_db_server_log_checkpoints_onpostgres_db_server_log_connections_onpostgres_db_server_log_disconnections_onpostgres_db_server_log_duration_onpostgres_db_server_log_retention_days_3postgres_flexible_server_allow_access_to_azure_services_disabledpostgres_flexible_server_connection_throttling_onpostgres_flexible_server_log_checkpoints_onpostgres_flexible_server_log_retention_days_3postgres_server_private_link_usedpostgres_sql_flexible_server_ssl_enabledpostgres_sql_server_encrypted_at_rest_using_cmkpostgres_sql_ssl_enabledpostgresql_server_infrastructure_encryption_enabledpostgresql_server_public_network_access_disabledrecovery_service_vault_uses_managed_identityrecovery_service_vault_uses_private_linkrecovery_service_vault_uses_private_link_for_backupredis_cache_in_virtual_networkredis_cache_min_tls_1_2redis_cache_no_basic_skuredis_cache_ssl_enabledredis_cache_uses_private_linksearch_service_logging_enabledsearch_service_public_network_access_disabledsearch_service_replica_count_3search_service_uses_managed_identitysearch_service_uses_private_linksearch_service_uses_sku_supporting_private_linksecurity_center_attack_path_alerts_enabledsecurity_center_defender_for_api_enabledsecurity_center_defender_for_cloudposture_enabledsecurity_center_defender_for_servers_enabledsecuritycenter_additional_email_configuredsecuritycenter_asc_default_setting_not_disabledsecuritycenter_automatic_provisioning_monitoring_agent_onsecuritycenter_azure_defender_on_for_appservicesecuritycenter_azure_defender_on_for_containerregistrysecuritycenter_azure_defender_on_for_containerssecuritycenter_azure_defender_on_for_cosmosdbsecuritycenter_azure_defender_on_for_databasesecuritycenter_azure_defender_on_for_dnssecuritycenter_azure_defender_on_for_k8ssecuritycenter_azure_defender_on_for_keyvaultsecuritycenter_azure_defender_on_for_opensource_relational_dbsecuritycenter_azure_defender_on_for_resource_managersecuritycenter_azure_defender_on_for_serversecuritycenter_azure_defender_on_for_sqldbsecuritycenter_azure_defender_on_for_sqlservervmsecuritycenter_azure_defender_on_for_storagesecuritycenter_container_image_scan_enabledsecuritycenter_email_configuredsecuritycenter_mcas_integrationsecuritycenter_notify_alerts_configuredsecuritycenter_pricing_standardsecuritycenter_security_alerts_to_owner_enabledsecuritycenter_wdatp_integrationservicebus_name_space_private_link_usedservicebus_namespace_azure_ad_authentication_enabledservicebus_namespace_logging_enabledservicebus_namespace_no_overly_permissive_network_accessservicebus_premium_namespace_cmk_encryptedservicebus_use_virtual_service_endpointservicefabric_cluster_active_directory_authentication_enabledservicefabric_cluster_protection_level_as_encrypt_and_signsignalr_service_no_free_tier_skusignalr_service_private_link_usedspring_cloud_service_network_injection_enabledsql_database_allow_internet_accesssql_database_long_term_geo_redundant_backup_enabledsql_database_transparent_data_encryption_enabledsql_database_vulnerability_findings_resolvedsql_db_active_directory_admin_configuredsql_db_public_network_access_disabledsql_server_and_databases_va_enabledsql_server_atp_enabledsql_server_auditing_onsql_server_auditing_retention_period_90sql_server_auditing_storage_account_destination_retention_90_dayssql_server_azure_ad_authentication_enabledsql_server_azure_defender_enabledsql_server_tde_protector_cmk_encryptedsql_server_threat_detection_all_enabledsql_server_transparent_data_encryption_enabledsql_server_use_virtual_service_endpointsql_server_uses_private_linksql_server_va_setting_periodic_scan_enabledsql_server_va_setting_reports_notify_adminssql_server_va_setting_scan_reports_configuredstorage_account_blob_and_container_soft_delete_enabledstorage_account_blob_containers_public_access_disabledstorage_account_blob_public_access_disabledstorage_account_blob_service_classic_logging_enabledstorage_account_blob_service_logging_enabledstorage_account_blob_soft_delete_enabledstorage_account_blob_versioning_enabledstorage_account_block_public_accessstorage_account_container_soft_delete_enabledstorage_account_containing_vhd_os_disk_cmk_encryptedstorage_account_cross_tenant_replication_disabledstorage_account_default_network_access_denystorage_account_default_network_access_rule_deniedstorage_account_default_to_oauth_authenticationstorage_account_encryption_at_rest_using_cmkstorage_account_encryption_at_rest_using_mmkstorage_account_encryption_scopes_encrypted_at_rest_with_cmkstorage_account_file_share_smb_channel_encryption_aes_256_gcmstorage_account_file_share_smb_protocol_version_3_1_1storage_account_file_share_soft_delete_enabledstorage_account_geo_redundant_enabledstorage_account_infrastructure_encryption_enabledstorage_account_key_rotation_reminder_enabledstorage_account_min_tls_1_2storage_account_public_network_access_disabledstorage_account_queue_service_classic_logging_enabledstorage_account_queue_services_logging_enabledstorage_account_restrict_network_accessstorage_account_secure_transfer_required_enabledstorage_account_shared_key_access_disabledstorage_account_soft_delete_enabledstorage_account_table_service_classic_logging_enabledstorage_account_table_service_logging_enabledstorage_account_trusted_microsoft_services_enabledstorage_account_use_virtual_service_endpointstorage_account_uses_azure_resource_managerstorage_account_uses_private_linkstorage_sync_private_link_usedstream_analytics_job_logging_enabledsynapse_workspace_data_exfiltration_protection_enabledsynapse_workspace_encryption_at_rest_using_cmksynapse_workspace_private_link_usedsynapse_workspace_vulnerability_assessment_enabledweb_application_firewall_policy_bot_protection_enabledweb_application_firewall_policy_request_body_inspection_enabled
Query: ad_admin_portals_require_mfa
Usage
powerpipe query azure_compliance.query.ad_admin_portals_require_mfa
SQL
with distinct_tenant as ( select distinct tenant_id, display_name, subscription_id, _ctx from azure_tenant),conditional_access_policy as ( select tenant_id, count(*) as conditional_access_policy_count from azuread_conditional_access_policy where users -> 'includeUsers' ? 'All' and applications -> 'includeApplications' ? 'MicrosoftAdminPortals' and built_in_controls @> '[1]'::jsonb and state = 'enabled' group by tenant_id)select t.tenant_id as resource, case when conditional_access_policy_count > 0 then 'ok' else 'alarm' end as status, case when conditional_access_policy_count > 0 then t.display_name || ' has conditional access policy that requires MFA for All users (or admin roles) when accessing admin portals.' else t.display_name || ' does not have a conditional access policy that requires MFA for All users (or admin roles) when accessing admin portals.' end as reason, t.tenant_id from distinct_tenant as t left join conditional_access_policy as p on p.tenant_id = t.tenant_id;
Controls
The query is being used by the following controls: