Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →

Plugins Docs Home

turbot/steampipe-mod-microsoft365-compliance

azuread_account_provisioning_activity_report_reviewed azuread_admin_consent_workflow_enabled azuread_admin_user_mfa_enabled azuread_administrative_account_on_premises_sync_disabled azuread_all_user_mfa_enabled azuread_audit_log_search_enabled azuread_authentication_method_microsoft_authenticator_mfa_fatigue_protection azuread_authentication_method_restrict_insecure_methods azuread_authorization_policy_accessing_company_data_not_allowed azuread_conditional_access_block_device_code_flow azuread_conditional_access_block_signin_risk_medium_high azuread_conditional_access_require_managed_device_for_authentication azuread_conditional_access_require_managed_device_register_security_info azuread_conditional_access_signin_frequency_intune_every_time azuread_dynamic_group_for_guest_user azuread_global_admin_range_restricted azuread_group_not_public azuread_guest_user_access_reviews_configured azuread_guest_user_info azuread_legacy_authentication_disabled azuread_microsoft_azure_management_limited_to_administrative_roles azuread_password_protection_enabled azuread_privileged_roles_access_reviews_configured azuread_risky_sign_ins_report azuread_security_default_disabled azuread_signin_frequency_policy azuread_signin_risk_policy azuread_third_party_application_not_allowed azuread_user_password_not_set_to_expire azuread_user_risk_policy azuread_user_sspr_enabled microsoft365_calendar_sharing_disabled microsoft365_sharepoint_external_content_sharing_restricted microsoft365_sharepoint_external_sharing_managed_by_domain_whitelist_or_blacklist microsoft365_sharepoint_resharing_by_external_users_disabled microsoft_user_mfa_capable

Query: azuread_audit_log_search_enabled

Usage

powerpipe query microsoft365_compliance.query.azuread_audit_log_search_enabled

Steampipe Tables

azuread_directory_audit_report

Azure Active Directory plugin

SQL

with audit_count as (
  select
    tenant_id,
    count(id)
  from
    azuread_directory_audit_report
  group by
    tenant_id
),
tenant_list as (
  select
    distinct on (tenant_id) tenant_id,
    _ctx
  from
    azuread_user
)
select
  t.tenant_id as resource,
  case
    when a.count > 0 then 'ok'
    else 'alarm'
  end as status,
  case
    when a.count > 0 then t.tenant_id || ' has audit log search enabled.'
    else t.tenant_id || ' has audit log search disabled.'
  end as reason
  , t.tenant_id as tenant_id
from
  tenant_list as t
  left join audit_count as a on t.tenant_id = a.tenant_id;

Controls

The query is being used by the following controls: