turbot/steampipe-mod-microsoft365-compliance

Control: 5.2.2.7 Enable Azure AD Identity Protection sign-in risk policies

Description

Azure Active Directory Identity Protection sign-in risk detects risks in real-time and offline. A risky sign-in is an indicator for a sign-in attempt that might not have been performed by the legitimate owner of a user account.

Note: While Identity Protection also provides two risk policies with limited conditions, Microsoft highly recommends setting up risk-based policies in Conditional Access as opposed to the "legacy method" for the following benefits:

  • Enhanced diagnostic data
  • Report-only mode integration
  • Graph API support
  • Use more Conditional Access attributes like sign-in frequency in the policy

Turning on the sign-in risk policy ensures that suspicious sign-ins are challenged for multi-factor authentication.

Remediation

To configure a Sign-In risk policy, use the following steps:

  1. Navigate to the Microsoft Entra admin center https://entra.microsoft.com.
  2. Click expand Protection > Conditional Access select Policies.
  3. Create a new policy by selecting New policy.
  4. Set the following conditions within the policy.
  • Under Users or workload identities choose All users.
  • Under Cloud apps or actions choose All cloud apps.
  • Under Conditions choose Sign-in risk then Yes and check the risk level boxes High and Medium.
  • Under Access Controls select Grant then in the right pane click Grant access then select Require multifactor authentication.
  • Under Session select Sign-in Frequency and set to Every time.
  1. Click Select.
  2. You may opt to begin in a state of Report Only as you step through implementation however, the policy will need to be set to On to be in effect.
  3. Click Create.

Note: for more information regarding risk levels refer to Microsoft's Identity Protection & Risk Doc

Usage

Run the control in your terminal:

powerpipe control run microsoft365_compliance.control.cis_v300_5_2_2_7

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run microsoft365_compliance.control.cis_v300_5_2_2_7 --share

SQL

This control uses a named query:

with block_legacy_authentication as (
select
tenant_id,
count(*)
from
azuread_conditional_access_policy
where
users->'includeUsers' ?& array['All'] and
jsonb_array_length(users -> 'excludeUsers') = 0 and
jsonb_array_length(sign_in_risk_levels) != 0 and
applications->'includeApplications' ?& array['All'] and
jsonb_array_length(applications -> 'excludeApplications') = 0 and
built_in_controls ?& array['mfa']
group by
tenant_id
),
tenant_list as (
select
distinct on (tenant_id) tenant_id,
_ctx
from
azuread_user
)
select
t.tenant_id as resource,
case
when (select count from block_legacy_authentication where tenant_id = t.tenant_id) > 0 then 'ok'
else 'alarm'
end as status,
case
when (select count from block_legacy_authentication where tenant_id = t.tenant_id) > 0 then t.tenant_id || ' has sign-in risk policies enabled.'
else t.tenant_id || ' has sign-in risk policies disabled.'
end as reason
, t.tenant_id as tenant_id
from
tenant_list as t;

Tags