Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-microsoft365-compliance
Overview
6Dashboards
126Benchmarks
36Queries
2Variables
GitHub

Control: 5.2.3.5 Ensure weak authentication methods are disabled

Description

Authentication methods support a wide variety of scenarios for signing in to Microsoft 365 resources. Some of these methods are inherently more secure than others but require more investment in time to get users enrolled and operational.

SMS and Voice Call rely on telephony carrier communication methods to deliver the authenticating factor.

The email one-time passcode feature is a way to authenticate B2B collaboration users when they can't be authenticated through other means, such as Microsoft Entra ID, Microsoft account (MSA), or social identity providers. When a B2B guest user tries to redeem your invitation or sign in to your shared resources, they can request a temporary passcode, which is sent to their email address. Then they enter this passcode to continue signing in.

The recommended state is to Disable these methods:

  • SMS
  • Voice Call
  • Email OTP

Remediation

To remediate using the UI:

  1. Navigate to Microsoft Entra admin center https://entra.microsoft.com/.
  2. Click to expand Protection select Authentication methods.
  3. Select Policies.
  4. Inspect each method that is out of compliance and remediate:
  • Click on the method to open it.
  • Change the Enable toggle to the off position.
  • Click Save

Note: If the save button remains greyed out after toggling a method off, then first turn it back on and then change the position of the selection (all users or select groups). Turn the method off again and save. This was observed to be a bug in the UI at the time this document was published.

To remediate using Powershell:

  1. Connect to Graph using Connect-MgGraph -Scopes "Policy.ReadWrite.AuthenticationMethod"
  2. Run the following to disable all three authentication methods:
  $params = @(
  @{ Id = "Sms"; State = "disabled" },
  @{ Id = "Voice"; State = "disabled" },
  @{ Id = "Email"; State = "disabled" }
  )
  Update-MgPolicyAuthenticationMethodPolicy -AuthenticationMethodConfigurations
  $params

Default Value

  • SMS : Disabled
  • Voice Call : Disabled
  • Email OTP : Enabled

Usage

Run the control in your terminal:

powerpipe control run microsoft365_compliance.control.cis_v500_5_2_3_5

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run microsoft365_compliance.control.cis_v500_5_2_3_5 --share

SQL

This control uses a named query:

with tenant_list as (
  select distinct on (tenant_id) tenant_id, _ctx
  from azuread_user
),
authentication_method_policy as (
  select
    tenant_id,
    count(*) as required_methods_enabled
  from
    azuread_authentication_method_policy,
    jsonb_array_elements(authentication_method_configurations) as cfg
  where
    cfg ->> 'id' in ('Sms', 'Voice', 'Email')
    and cfg ->> 'state' = 'enabled'
  group by tenant_id
)
select
  t.tenant_id as resource,
  case
    when required_methods_enabled = 3 then 'ok'
    else 'alarm'
  end as status,
  case
    when required_methods_enabled = 3 then t.tenant_id || ' has SMS, Voice call, and Email OTP authentication methods all enabled.'
    else t.tenant_id || ' does not have all of SMS, Voice call, and Email OTP authentication methods enabled.'
  end as reason
  , t.tenant_id as tenant_id
from
  tenant_list as t
  left join authentication_method_policy as p on p.tenant_id = t.tenant_id;

Tags

category = Compliance
cis = true
cis_item_id = 5.2.3.5
cis_level = 1
cis_section_id = 5.2.3
cis_type = automated
cis_version = v5.0.0
microsoft_365_license = E3,E5
plugin = microsoft365
service = Azure/ActiveDirectory