Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-microsoft365-compliance
Overview
6Dashboards
126Benchmarks
36Queries
2Variables
GitHub

Control: 5.2.2.10 Ensure a managed device is required to register security information

Description

Conditional Access (CA) can be configured to enforce access based on the device's compliance status or whether it is Entra hybrid joined. Collectively this allows CA to classify devices as managed or not, providing more granular control over whether or not a user can register MFA on a device. security information can only be registered from devices the organization trusts and manages.

When using Require device to be marked as compliant, the device must pass checks configured in Compliance policies defined within Intune (Endpoint Manager). Before these checks can be applied, the device must first be enrolled in Intune MDM.

By selecting Require Microsoft Entra hybrid joined device this means the device must first be synchronized from an on-premises Active Directory to qualify for authentication.

When configured to the recommended state below only one condition needs to be met for the user to register MFA from the device. This functions as an "OR" operator.

The recommended state is to restrict Register security information to a device that is marked as compliant or Entra hybrid joined.

Remediation

To remediate using the UI:

  1. Navigate to Microsoft Entra admin center https://entra.microsoft.com/.
  2. Click to expand Protection > Conditional Access select Policies.
  3. Create a new policy by selecting New policy.
    • Under Users include All users.
    • Under Target resources select User actions and check Register security information.
    • Under Grant select Grant access.
    • Check only Require multifactor authentication and Require Microsoft Entra hybrid joined device.
    • Choose Require one of the selected controls and click Select at the bottom.
  4. Under Enable policy set it to Report-only until the organization is ready to enable it.
  5. Click Create.

Note: Break-glass accounts should be excluded from all Conditional Access policies.

Usage

Run the control in your terminal:

powerpipe control run microsoft365_compliance.control.cis_v500_5_2_2_10

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run microsoft365_compliance.control.cis_v500_5_2_2_10 --share

SQL

This control uses a named query:

with tenant_list as (
  select distinct on (tenant_id) tenant_id, _ctx
  from azuread_user
),
conditional_access_policy as (
  select
    tenant_id,
    count(*) as conditional_access_policy_count
  from
    azuread_conditional_access_policy
  where
    users -> 'includeUsers' ? 'All'
    and built_in_controls @> '[2,3]'::jsonb
    and operator = 'OR'
    and applications -> 'includeUserActions' ? 'urn:user:registersecurityinfo'
    and state = 'enabled'
  group
    by tenant_id
)
select
  t.tenant_id as resource,
  case
    when conditional_access_policy_count > 0 then 'ok'
    else 'alarm'
  end as status,
  case
    when conditional_access_policy_count > 0 then t.tenant_id || ' has a conditional access policy requiring users to register security information only from a compliant or hybrid-joined device.'
    else t.tenant_id ||  ' does not have a conditional access policy requiring users to register security information only from a compliant or hybrid-joined device.'
  end as reason
  , t.tenant_id as tenant_id
from
  tenant_list as t
  left join conditional_access_policy as p on p.tenant_id = t.tenant_id;

Tags

category = Compliance
cis = true
cis_item_id = 5.2.2.10
cis_level = 1
cis_section_id = 5.2.2
cis_type = automated
cis_version = v5.0.0
microsoft_365_license = E3,E5
plugin = microsoft365
service = Azure/ActiveDirectory