Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-microsoft365-compliance
Overview
6Dashboards
126Benchmarks
36Queries
2Variables
GitHub

Control: 5.2.2.11 Ensure sign-in frequency for Intune Enrollment is set to 'Every time'

Description

Sign-in frequency defines the time period before a user is asked to sign in again when attempting to access a resource. The Microsoft Entra ID default configuration for user sign-in frequency is a rolling window of 90 days.

The recommended state is a Sign-in frequency of Every time for Microsoft Intune Enrollment.

Note: Microsoft accounts for a five-minute clock skew when 'every time' is selected in a conditional access policy, ensuring that users are not prompted more frequently than once every five minutes.

Remediation

To remediate using the UI:

  1. Navigate to Microsoft Entra admin center https://entra.microsoft.com/.
  2. Click to expand Protection > Conditional Access select Policies.
  3. Create a new policy by selecting New policy.
    • Under Users include All users.
    • Under Target resources select Resources (formerly cloud apps), choose Select resources and add Microsoft Intune Enrollment to the list.
    • Under Grant select Grant access.
    • Check either Require multifactor authentication or Require authentication strength.
    • Under Session check Sign-in frequency and select Every time.
  4. Under Enable policy set it to Report-only until the organization is ready to enable it.
  5. Click Create.

Note: If the Microsoft Intune Enrollment cloud app isn't available then it must be created. To add the app for new tenants, a Microsoft Entra administrator must create a service principal object, with app ID d4ebce55-015a-49b5-a083-c84d1797ae8c, in PowerShell or Microsoft Graph.

Note: Break-glass accounts should be excluded from all Conditional Access policies.

Default Value

Sign-in frequency defaults to 90 days.

Usage

Run the control in your terminal:

powerpipe control run microsoft365_compliance.control.cis_v500_5_2_2_11

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run microsoft365_compliance.control.cis_v500_5_2_2_11 --share

SQL

This control uses a named query:

with tenant_list as (
  select distinct on (tenant_id) tenant_id, _ctx
  from azuread_user
),
conditional_access_policy as (
  select
    tenant_id,
    count(*) as conditional_access_policy_count
  from
    azuread_conditional_access_policy
  where
    users -> 'includeUsers' ? 'All'
    and (
      built_in_controls @> '[1]'::jsonb
      or authentication_strength is not null
    )
    and applications -> 'includeApplications' ? 'd4ebce55-015a-49b5-a083-c84d1797ae8c'
    and (sign_in_frequency ->> 'isEnabled')::boolean = true
    and state = 'enabled'
  group
    by tenant_id
)
select
  t.tenant_id as resource,
  case
    when conditional_access_policy_count > 0 then 'ok'
    else 'alarm'
  end as status,
  case
    when conditional_access_policy_count > 0 then t.tenant_id || ' has a Conditional Access policy enforcing sign-in frequency set to Every time for Microsoft Intune Enrollment.'
    else t.tenant_id || ' does not have a conditional access policy enforcing sign-in frequency set to Every time for Microsoft Intune Enrollment.'
  end as reason
  , t.tenant_id as tenant_id
from
  tenant_list as t
  left join conditional_access_policy as p on p.tenant_id = t.tenant_id;

Tags

category = Compliance
cis = true
cis_item_id = 5.2.2.11
cis_level = 1
cis_section_id = 5.2.2
cis_type = automated
cis_version = v5.0.0
microsoft_365_license = E3,E5
plugin = microsoft365
service = Azure/ActiveDirectory