Query: directory_user_2fa_enrolled

Usage

powerpipe query googleworkspace_compliance.query.directory_user_2fa_enrolled

Steampipe Tables

googledirectory_user

SQL

select
  primary_email as resource,
  case
    when is_enrolled_in_2sv = false then 'alarm'
    when is_enrolled_in_2sv = true and is_enforced_in_2sv = false then 'info'
    else 'ok'
  end as status,
  case
    when is_enrolled_in_2sv = false then 
      format('User %s is not enrolled in 2-Step Verification%s.', primary_email, 
  case
    when is_admin then ' (ADMIN)' else '' end)
    when is_enrolled_in_2sv = true and is_enforced_in_2sv = false then
      format('User %s has 2FA enrolled but not enforced%s.', primary_email,
  case
    when is_admin then ' (ADMIN)' else '' end)
    else 
      format('User %s has 2-Step Verification properly configured%s.', primary_email,
  case
    when is_admin then ' (ADMIN)' else '' end)
  end as reason
from
  googledirectory_user
order by
  is_admin desc,
  is_enrolled_in_2sv asc,
  primary_email;

Controls

The query is being used by the following controls:

4.1.1.3 (L1) Ensure 2-Step Verification (Multi-Factor Authentication) is enforced for all users