Benchmark: 1.1 Azure Active Directory
Overview
This section contains recommendations for Azure Active Directory (AAD), a cloud- based identity management service that underpins Microsoft 365. These recommendations focus on strengthening the foundational AAD settings, given that all Microsoft 365 tenants are accompanied by default AAD configurations.
For in-depth coverage of Azure, please refer to the CIS Microsoft Azure Benchmarks.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-microsoft365-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select 1.1 Azure Active Directory.
Run this benchmark in your terminal:
powerpipe benchmark run microsoft365_compliance.benchmark.cis_v200_1_1Snapshot and share results via Turbot Pipes:
powerpipe benchmark run microsoft365_compliance.benchmark.cis_v200_1_1 --shareControls
- 1.1.1 Ensure Security Defaults are disabled on Azure Active Directory
- 1.1.2 Ensure multifactor authentication is enabled for all users in administrative roles
- 1.1.3 Ensure Sign-in frequency is enabled and browser sessions are not persistent for Administrative users
- 1.1.4 Ensure multifactor authentication is enabled for all users
- 1.1.7 Ensure that between two and four global admins are designated
- 1.1.8 Ensure 'Self service password reset enabled' is set to 'All'
- 1.1.11 Enable Conditional Access policies to block legacy authentication
- 1.1.13 Enable Azure AD Identity Protection sign-in risk policies
- 1.1.14 Enable Azure AD Identity Protection user risk policies
- 1.1.16 Ensure that only organizationally managed/approved public groups exist
- 1.1.21 Ensure 'Microsoft Azure Management' is limited to administrative roles