azuread_account_provisioning_activity_report_reviewedazuread_admin_consent_workflow_enabledazuread_admin_user_mfa_enabledazuread_administrative_account_on_premises_sync_disabledazuread_all_user_mfa_enabledazuread_audit_log_search_enabledazuread_authentication_method_microsoft_authenticator_mfa_fatigue_protectionazuread_authentication_method_restrict_insecure_methodsazuread_authorization_policy_accessing_company_data_not_allowedazuread_conditional_access_block_device_code_flowazuread_conditional_access_block_signin_risk_medium_highazuread_conditional_access_require_managed_device_for_authenticationazuread_conditional_access_require_managed_device_register_security_infoazuread_conditional_access_signin_frequency_intune_every_timeazuread_dynamic_group_for_guest_userazuread_global_admin_range_restrictedazuread_group_not_publicazuread_guest_user_access_reviews_configuredazuread_guest_user_infoazuread_legacy_authentication_disabledazuread_microsoft_azure_management_limited_to_administrative_rolesazuread_password_protection_enabledazuread_privileged_roles_access_reviews_configuredazuread_risky_sign_ins_reportazuread_security_default_disabledazuread_signin_frequency_policyazuread_signin_risk_policyazuread_third_party_application_not_allowedazuread_user_password_not_set_to_expireazuread_user_risk_policyazuread_user_sspr_enabledmicrosoft365_calendar_sharing_disabledmicrosoft365_sharepoint_external_content_sharing_restrictedmicrosoft365_sharepoint_external_sharing_managed_by_domain_whitelist_or_blacklistmicrosoft365_sharepoint_resharing_by_external_users_disabledmicrosoft_user_mfa_capable
Query: azuread_authentication_method_microsoft_authenticator_mfa_fatigue_protection
Usage
powerpipe query microsoft365_compliance.query.azuread_authentication_method_microsoft_authenticator_mfa_fatigue_protectionSteampipe Tables
SQL
with tenant_list as ( select distinct on (tenant_id) tenant_id, _ctx from azuread_user),authentication_method_policy as ( select tenant_id, count(*) as authentication_method_policy_count from azuread_authentication_method_policy, jsonb_array_elements(authentication_method_configurations) as cfg where cfg ->> 'id' = 'MicrosoftAuthenticator' and cfg ->> 'state' = 'enabled' and exists ( select 1 from jsonb_array_elements(cfg -> 'includeTargets') as t where t ->> 'id' = 'all_users' ) and cfg -> 'featureSettings' -> 'numberMatchingRequiredState' ->> 'state' = 'enabled' and cfg -> 'featureSettings' -> 'numberMatchingRequiredState' -> 'includeTarget' ->> 'id' = 'all_users' and cfg -> 'featureSettings' -> 'displayAppInformationRequiredState' ->> 'state' = 'enabled' and cfg -> 'featureSettings' -> 'displayAppInformationRequiredState' -> 'includeTarget' ->> 'id' = 'all_users' and cfg -> 'featureSettings' -> 'displayLocationInformationRequiredState' ->> 'state' = 'enabled' and cfg -> 'featureSettings' -> 'displayLocationInformationRequiredState' -> 'includeTarget' ->> 'id' = 'all_users' group by tenant_id)select t.tenant_id as resource, case when authentication_method_policy_count > 0 then 'ok' else 'alarm' end as status, case when authentication_method_policy_count > 0 then t.tenant_id || ' has Microsoft Authenticator enabled and configured with number matching, application name display, and location display enforced for all users to protect against MFA fatigue.' else t.tenant_id || ' does not have Microsoft Authenticator fully configured with number matching, application name display, and location display for all users to protect against MFA fatigue.' end as reason , t.tenant_id as tenant_idfrom tenant_list as t left join authentication_method_policy as p on p.tenant_id = t.tenant_id;
Controls
The query is being used by the following controls: