Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-microsoft365-compliance
Overview
7Dashboards
164Benchmarks
44Queries
2Variables
GitHub

Control: 5.1.4.2 Ensure the maximum number of devices per user is limited

Description

This setting defines the maximum number of Microsoft Entra joined or registered devices that a user can have in Microsoft Entra ID. Once this limit is reached, no additional devices can be added until existing ones are removed. Values above 100 are automatically capped at 100.

The recommended state is 20 or less.

Remediation

To remediate using the UI:

  1. Navigate to Microsoft Entra admin center https://entra.microsoft.com/.
  2. Click to expand Entra ID > Devices select Device settings.
  3. Set Maximum number of devices per user to 20 (Recommended) or less.

Default Value

50

Usage

Run the control in your terminal:

powerpipe control run microsoft365_compliance.control.cis_v600_5_1_4_2

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run microsoft365_compliance.control.cis_v600_5_1_4_2 --share

SQL

This control uses a named query:

select
  tenant_id || '/' || id as resource,
  case
    when user_device_quota <= 20 then 'ok'
    else 'alarm'
  end as status,
  case
    when user_device_quota <= 20 then tenant_id || ' has maximum devices per user limited to ' || user_device_quota || ' (recommended: 20 or less).'
    else tenant_id || ' has maximum devices per user set to ' || user_device_quota || ' (recommended: 20 or less).'
  end as reason
  , tenant_id as tenant_id
from
  azuread_device_registration_policy;

Tags

category = Compliance
cis = true
cis_item_id = 5.1.4.2
cis_level = 1
cis_section_id = 5.1.4
cis_type = automated
cis_version = v6.0.0
microsoft_365_license = E3,E5
plugin = microsoft365
service = Azure/ActiveDirectory