turbot/steampipe-mod-microsoft365-compliance

Control: 5.2.2.4 Ensure Sign-in frequency is enabled and browser sessions are not persistent for Administrative users

Description

In complex deployments, organizations might have a need to restrict authentication sessions. Conditional Access policies allow for the targeting of specific user accounts. Some scenarios might include:

  • Resource access from an unmanaged or shared device
  • Access to sensitive information from an external network
  • High-privileged users
  • Business-critical applications

Ensure Sign-in frequency periodic reauthentication does not exceed 4 hours for E3 tenants, or 24 hours for E5 tenants using Privileged Identity Management.

Ensure Persistent browser session is set to Never persistent

Note: This CA policy can be added to the previous CA policy in this benchmark "Ensure multifactor authentication is enabled for all users in administrative roles".

Forcing a time out for MFA will help ensure that sessions are not kept alive for an indefinite period of time, ensuring that browser sessions are not persistent will help in prevention of drive-by attacks in web browsers, this also prevents creation and saving of session cookies leaving nothing for an attacker to take.

Remediation

To remediate using the UI:

  1. Navigate to Microsoft Entra admin center https://entra.microsoft.com/.
  2. Click to expand Protection > Conditional Access Select Policies.
  3. Click New policy.
  • Under Users include Select users and groups and check Directory roles.
  • At a minimum, include the directory roles listed below in this section of the document.
  • Under Target resources include All cloud apps and do not create any exclusions.
  • Under Grant select Grant Access and check Require multifactor authentication.
  • Under Session select Sign-in frequency select Periodic reauthentication and set it to 4 hours for E3 tenants. E5 tenants with PIM can be set to a maximum value of 24 hours.
  • Check Persistent browser session then select Never persistent in the drop-down menu.
  1. Under Enable policy set it to Report Only until the organization is ready to enable it.

At minimum these directory roles should be included in the policy:

  • Application administrator
  • Authentication administrator
  • Billing administrator
  • Cloud application administrator
  • Conditional Access administrator
  • Exchange administrator
  • Global administrator
  • Global reader
  • Helpdesk administrator
  • Password administrator
  • Privileged authentication administrator
  • Privileged role administrator
  • Security administrator
  • SharePoint administrator
  • User administrator

Default Value

The default configuration for user sign-in frequency is a rolling window of 90 days.

Usage

Run the control in your terminal:

powerpipe control run microsoft365_compliance.control.cis_v400_5_2_2_4

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run microsoft365_compliance.control.cis_v400_5_2_2_4 --share

SQL

This control uses a named query:

with users_having_admin_roles as (
select
array_agg(role_template_id) as rid
from
azuread_directory_role
where
display_name like '%Administrator'
),
signin_frequency_enabled as (
select
tenant_id,
count(p.*)
from
azuread_conditional_access_policy as p,
users_having_admin_roles as a
where
(p.users -> 'includeRoles')::jsonb ?| (a.rid)
and (p.sign_in_frequency -> 'isEnabled')::bool
and (p.persistent_browser -> 'isEnabled')::bool
and p.persistent_browser ->> 'mode'='never'
and p.applications -> 'includeApplications' ?& array['All']
and jsonb_array_length(p.applications -> 'excludeApplications') = 0
and jsonb_array_length(p.built_in_controls) = 1
and p.built_in_controls ?& array['mfa']
and state = 'enabled'
group by
tenant_id
),
tenant_list as (
select
distinct on (tenant_id) tenant_id,
_ctx
from
azuread_user
)
select
tenant_id as resource,
case
when (select count from signin_frequency_enabled where tenant_id = t.tenant_id) > 0 then 'ok'
else 'alarm'
end as status,
case
when (select count from signin_frequency_enabled where tenant_id = t.tenant_id) > 0 then tenant_id || ' has sign-in frequency policy enabled.'
else tenant_id || ' has sign-in frequency policy disabled.'
end as reason
, t.tenant_id as tenant_id
from
tenant_list as t;

Tags