Control: 5.2.2.4 Ensure Sign-in frequency is enabled and browser sessions are not persistent for Administrative users
Description
In complex deployments, organizations might have a need to restrict authentication sessions. Conditional Access policies allow for the targeting of specific user accounts. Some scenarios might include:
- Resource access from an unmanaged or shared device
- Access to sensitive information from an external network
- High-privileged users
- Business-critical applications
Note: This CA policy can be added to the previous CA policy in this benchmark "Ensure multifactor authentication is enabled for all users in administrative roles"
Remediation
To remediate using the UI:
- Navigate to
Microsoft Entra admin centerhttps://entra.microsoft.com/. - Click to expand
Protection>Conditional AccessSelectPolicies. - Click
New policy.- Under
UsersincludeSelect users and groupsand checkDirectory roles. - At a minimum, include the directory roles listed below in this section of the document.
- Under
Target resourcesincludeAll resources (formerly 'All cloud apps'). - Under
GrantselectGrant Accessand checkRequire multifactor authentication. - Under
SessionselectSign-in frequencyselectPeriodic reauthenticationand set it to 4 hours (or less). - Check
Persistent browser sessionthen selectNever persistentin the drop-down menu.
- Under
- Under
Enable policyset it toReport Onlyuntil the organization is ready to enable it. - Click
Create.
At minimum these directory roles should be included in the policy:
- Application administrator
- Authentication administrator
- Billing administrator
- Cloud application administrator
- Conditional Access administrator
- Exchange administrator
- Global administrator
- Global reader
- Helpdesk administrator
- Password administrator
- Privileged authentication administrator
- Privileged role administrator
- Security administrator
- SharePoint administrator
- User administrator
Note: Break-glass accounts should be excluded from all Conditional Access policies.
Default Value
The default configuration for user sign-in frequency is a rolling window of 90 days.
Usage
Run the control in your terminal:
powerpipe control run microsoft365_compliance.control.cis_v500_5_2_2_4Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run microsoft365_compliance.control.cis_v500_5_2_2_4 --shareSQL
This control uses a named query:
with users_having_admin_roles as ( select array_agg(role_template_id) as rid from azuread_directory_role where display_name like '%Administrator'),signin_frequency_enabled as ( select tenant_id, count(p.*) from azuread_conditional_access_policy as p, users_having_admin_roles as a where (p.users -> 'includeRoles')::jsonb ?| (a.rid) and (p.sign_in_frequency -> 'isEnabled')::bool and (p.persistent_browser -> 'isEnabled')::bool and p.persistent_browser ->> 'mode'='never' and p.applications -> 'includeApplications' ?& array['All'] and jsonb_array_length(p.applications -> 'excludeApplications') = 0 and jsonb_array_length(p.built_in_controls) = 1 and p.built_in_controls ?& array['mfa'] and state = 'enabled' group by tenant_id),tenant_list as ( select distinct on (tenant_id) tenant_id, _ctx from azuread_user)select tenant_id as resource, case when (select count from signin_frequency_enabled where tenant_id = t.tenant_id) > 0 then 'ok' else 'alarm' end as status, case when (select count from signin_frequency_enabled where tenant_id = t.tenant_id) > 0 then tenant_id || ' has sign-in frequency policy enabled.' else tenant_id || ' has sign-in frequency policy disabled.' end as reason , t.tenant_id as tenant_idfrom tenant_list as t;