Benchmark: 5.2.2 Conditional Access
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-microsoft365-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select 5.2.2 Conditional Access.
Run this benchmark in your terminal:
powerpipe benchmark run microsoft365_compliance.benchmark.cis_v500_5_2_2Snapshot and share results via Turbot Pipes:
powerpipe benchmark run microsoft365_compliance.benchmark.cis_v500_5_2_2 --shareControls
- 5.2.2.1 Ensure multifactor authentication is enabled for all users in administrative roles
- 5.2.2.2 Ensure multifactor authentication is enabled for all users
- 5.2.2.3 Enable Conditional Access policies to block legacy authentication
- 5.2.2.4 Ensure Sign-in frequency is enabled and browser sessions are not persistent for Administrative users
- 5.2.2.6 Enable Identity Protection user risk policies
- 5.2.2.7 Enable Identity Protection sign-in risk policies
- 5.2.2.8 Ensure 'sign-in risk' is blocked for medium and high risk
- 5.2.2.9 Ensure a managed device is required for authentication
- 5.2.2.10 Ensure a managed device is required to register security information
- 5.2.2.11 Ensure sign-in frequency for Intune Enrollment is set to 'Every time'
- 5.2.2.12 Ensure the device code sign-in flow is blocked