Powerpipe Detection Mods →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-microsoft365-compliance
Overview
5Dashboards
96Benchmarks
21Queries
2Variables
GitHub

Control: 5.1.1.1 Ensure Security Defaults is disabled

Description

Security defaults in Microsoft Entra ID make it easier to be secure and help protect the organization. Security defaults contain preconfigured security settings for common attacks.

By default, Microsoft enables security defaults. The goal is to ensure that all organizations have a basic level of security enabled. The security default setting is manipulated in the Entra admin center.

The use of security defaults, however, will prohibit custom settings which are being set with more advanced settings from this benchmark.

Security defaults provide secure default settings that are managed on behalf of organizations to keep customers safe until they are ready to manage their own identity security settings.

For example, doing the following:

  • Requiring all users and admins to register for MFA.
  • Challenging users with MFA - mostly when they show up on a new device or app, but more often for critical roles and tasks.
  • Disabling authentication from legacy authentication clients, which can’t do MFA.

Remediation

To remediate using the UI:

  1. Navigate to the Microsoft Entra admin center https://entra.microsoft.com.
  2. Click to expand Identity select Overview.
  3. Click Properties.
  4. Click Manage security defaults.
  5. Set the Security defaults dropdown to Disabled.
  6. Select Save.

To remediate using PowerShell:

  1. Connect to the Microsoft Graph service using Connect-MgGraph -Scopes "Policy.ReadWrite.ConditionalAccess".
  2. Run the following Microsoft Graph PowerShell command:
$params = @{ IsEnabled = $false }
Update-MgPolicyIdentitySecurityDefaultEnforcementPolicy -BodyParameter $params

Warning: It is recommended not to disable security defaults until you are ready to implement conditional access rules in the benchmark. Rules such as requiring MFA for all users and blocking legacy protocols are required in CA to make up for the gap created by disabling defaults. Plan accordingly. See the reference section for more details on what coverage Security Defaults provide.

Default Value

Enabled.

Usage

Run the control in your terminal:

powerpipe control run microsoft365_compliance.control.cis_v400_5_1_1_1

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run microsoft365_compliance.control.cis_v400_5_1_1_1 --share

SQL

This control uses a named query:

select
  tenant_id || '/' || id as resource,
  case
    when not is_enabled then 'ok'
    else 'alarm'
  end as status,
  case
    when not is_enabled then tenant_id || ' has security defaults disabled.'
    else tenant_id || ' has security defaults enabled.'
  end as reason
  , tenant_id as tenant_id
from
  azuread_security_defaults_policy;

Tags

category = Compliance
cis = true
cis_item_id = 5.1.1.1
cis_level = 1
cis_section_id = 5.1.1
cis_type = manual
cis_version = v4.0.0
microsoft_365_license = E3
plugin = microsoft365
service = Azure/ActiveDirectory