Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-microsoft365-compliance
Overview
6Dashboards
126Benchmarks
36Queries
2Variables
GitHub

Control: 5.3.2 Ensure 'Access reviews' for Guest Users are configured

Description

Access reviews enable administrators to establish an efficient automated process for reviewing group memberships, access to enterprise applications, and role assignments. These reviews can be scheduled to recur regularly, with flexible options for delegating the task of reviewing membership to different members of the organization.

Ensure Access reviews for Guest Users are configured to be performed no less frequently than monthly.

Remediation

To remediate using the UI:

  1. Navigate to Microsoft Entra admin center https://entra.microsoft.com/.
  2. Click to expand Identity Governance and select Access reviews.
  3. Click New access review.
  4. Select what to review choose Teams + Groups.
  5. Review Scope set to All Microsoft 365 groups with guest users, do not exclude groups.
  6. Scope set to Guest users only then click Next: Reviews.
  7. Select reviewers an appropriate user that is NOT the guest user themselves.
  8. Duration (in days) at most 3.
  9. Review recurrence is Monthly or more frequent.
  10. End is set to Never, then click Next: Settings.
  11. Check Auto apply results to resource.
  12. Set If reviewers don't respond to Remove access.
  13. Check the following: Justification required, E-mail notifications, Reminders.
  14. Click Next: Review + Create and finally click Create.

Default Value

By default access reviews are not configured.

Usage

Run the control in your terminal:

powerpipe control run microsoft365_compliance.control.cis_v500_5_3_2

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run microsoft365_compliance.control.cis_v500_5_3_2 --share

SQL

This control uses a named query:

with tenant_list as (
  select distinct on (tenant_id) tenant_id, _ctx
  from azuread_user
),
guest_user_access_reviews as (
  select
    tenant_id,
    count(*) as guest_user_access_review
  from
    azuread_access_review_schedule_definition
  where
    display_name = 'Review guest access across Microsoft 365 groups'
    and (settings -> 'mailNotificationsEnabled')::bool
    and (settings -> 'reminderNotificationsEnabled')::bool
    and (settings -> 'justificationRequiredOnApproval')::bool
    and settings -> 'recurrence' -> 'pattern' ->> 'type' in ('absoluteMonthly', 'weekly')
    and (settings -> 'autoApplyDecisionsEnabled')::bool
    and settings ->> 'defaultDecision' = 'Deny'
  group by tenant_id
)
select
  t.tenant_id as resource,
  case
    when guest_user_access_review > 0 then 'ok'
    else 'alarm'
  end as status,
  case
    when guest_user_access_review > 0
      then t.tenant_id || ' has access reviews configured for guest users.'
    else t.tenant_id || ' does not have access reviews configured for guest users.'
  end as reason
  , t.tenant_id as tenant_id
from
  tenant_list as t
  left join guest_user_access_reviews as p on p.tenant_id = t.tenant_id;

Tags

category = Compliance
cis = true
cis_item_id = 5.3.2
cis_level = 1
cis_section_id = 5.3
cis_type = automated
cis_version = v5.0.0
microsoft_365_license = E5
plugin = microsoft365
service = Azure/ActiveDirectory