Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →

Plugins Docs Home

turbot/steampipe-mod-microsoft365-compliance

azuread_account_provisioning_activity_report_reviewed azuread_admin_consent_workflow_enabled azuread_admin_user_mfa_enabled azuread_administrative_account_on_premises_sync_disabled azuread_all_user_mfa_enabled azuread_audit_log_search_enabled azuread_authentication_method_microsoft_authenticator_mfa_fatigue_protection azuread_authentication_method_restrict_insecure_methods azuread_authorization_policy_accessing_company_data_not_allowed azuread_conditional_access_block_device_code_flow azuread_conditional_access_block_signin_risk_medium_high azuread_conditional_access_require_managed_device_for_authentication azuread_conditional_access_require_managed_device_register_security_info azuread_conditional_access_signin_frequency_intune_every_time azuread_dynamic_group_for_guest_user azuread_global_admin_range_restricted azuread_group_not_public azuread_guest_user_access_reviews_configured azuread_guest_user_info azuread_legacy_authentication_disabled azuread_microsoft_azure_management_limited_to_administrative_roles azuread_password_protection_enabled azuread_privileged_roles_access_reviews_configured azuread_risky_sign_ins_report azuread_security_default_disabled azuread_signin_frequency_policy azuread_signin_risk_policy azuread_third_party_application_not_allowed azuread_user_password_not_set_to_expire azuread_user_risk_policy azuread_user_sspr_enabled microsoft365_calendar_sharing_disabled microsoft365_sharepoint_external_content_sharing_restricted microsoft365_sharepoint_external_sharing_managed_by_domain_whitelist_or_blacklist microsoft365_sharepoint_resharing_by_external_users_disabled microsoft_user_mfa_capable

Query: azuread_conditional_access_block_device_code_flow

Usage

powerpipe query microsoft365_compliance.query.azuread_conditional_access_block_device_code_flow

Steampipe Tables

azuread_conditional_access_policy

Azure Active Directory plugin

SQL

with tenant_list as (
  select distinct on (tenant_id) tenant_id, _ctx
  from azuread_user
),
conditional_access_policy as (
  select
    tenant_id,
    count(*) as conditional_access_policy_count
  from
    azuread_conditional_access_policy
  where
    users -> 'includeUsers' ? 'All'
    and applications -> 'includeApplications' ? 'All'
    and built_in_controls @> '[0]'::jsonb
    and additional_data -> 'authenticationFlows' ->> 'transferMethods' = 'deviceCodeFlow'
    and state = 'enabled'
  group
    by tenant_id
)
select
  t.tenant_id as resource,
  case
    when conditional_access_policy_count > 0 then 'ok'
    else 'alarm'
  end as status,
  case
    when conditional_access_policy_count > 0 then t.tenant_id || ' has a conditional access policy that blocks the device code sign-in flow.'
    else t.tenant_id || ' does not have a conditional access policy that blocks the device code sign-in flow.'
  end as reason
  , t.tenant_id as tenant_id
from
  tenant_list as t
  left join conditional_access_policy as p on p.tenant_id = t.tenant_id;

Controls

The query is being used by the following controls:

5.2.2.12 Ensure the device code sign-in flow is blocked